locked
How to add Domain user to local administrators group using Group policy? RRS feed

  • Question

  • Hello,

    I hope someone can help in my situation. I have windows 2012 Active Directory and windows 7 clients.

    I need to add domain user to the local admin group for computer that they own. each user should have local admin rights for his machine only. so if a domain users logins to other machine they should not have admin privilege. its each user to his computer only.

    I thought about creating OU for each computer and then assign group policy (Computer Configuration > Preferences > Control Panel Settings > Local User and Groups ) but this would mean if I have 200 computer then I would need to create 200 OU and 200 policies which is a bad design. I could be wrong in thinking this scenario.

    Any other suggestions to make this simple ? script or group policy setting that I'm not aware of.

    Thank you

    Asad

     

    Thursday, January 9, 2014 9:50 AM

Answers

All replies

  • Build a simple text file linking computer names to user names, and then use a pwoershell script to add each user to the admins group of his own computer. You'll need to maintain this list of course, and either regularly run the script to make sure that if the list changes, the admin assignments change as well.

    I don't see how you could do this via GPO.

    I'd go with powershell and do the following:  read the list of computer / user assignments, and do a foreach over all computer objects in the domain to add the user for that computer (if it exists) to the administrators group. There are powershell examples enough available if you google for them.

    Thursday, January 9, 2014 10:54 AM
  • > Any other suggestions to make this simple ? script or group policy
    > setting that I'm not aware of.
     
    Group Policy Preferences "Local Users and Groups" can easily do this -
    but you DO need a repository where you store the computer for each user.
    I'd suggest using msds-primarycomputer for this and then use item level
    targeting with a LDAP query for the value of this attribute...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by Frank Shen5 Thursday, January 16, 2014 12:00 PM
    Thursday, January 9, 2014 11:17 AM
  • Thank Martin, Your suggestion seems workable. Could you point me to a link or explain this in detail as this solution is new for me to understand ?
    • Edited by Ad.Malik Thursday, January 9, 2014 11:30 AM
    Thursday, January 9, 2014 11:28 AM
  • > Thank Martin, Your suggestion seems workable. Could you point me to
    > a link or explain this in detail as this solution is new for me to
    > understand ?
     
    Alan has a post on that:
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by Frank Shen5 Thursday, January 16, 2014 12:01 PM
    Thursday, January 9, 2014 11:55 AM