Group Policy setting each PC a local administrator


  • Hi there,

    Is there a way (using group policy) to set each PC a local administrator? Or if possible, enable the user installation rights to their workstation only (and no others) and also disallow them to brows other user directories?


    John is setup on workstation PC001

    Dorris is setup on workstation PC002

    Both Dorris have rights to install software to their own machines respectively, however John logs onto PC002, his profile should sync but he should not be able to install software nor browse Dorris' user folders (C:\Users\Dorris). Dorris now returns to her machine and logs on, she should not be able to browse John's user folders (C:\Users\John) despite having the profile sitting on her machine (PC002)

    Is there a way to achieve this automatically? It's not ideal setting everyone up individually in an environment of around 200 users.



    • Edited by HamishForbes Thursday, February 06, 2014 2:07 AM
    Thursday, February 06, 2014 2:01 AM


All replies

  • Hi

    Please see How to use Group Policy Preferences to Secure Local Administrator Groups

    In big just set then admin of their workstation, and when they will lgo into another workstation, without behing administrator that will lock them automaticly.

    Be aware that sync'ing a profile mean you use roaming profile too, so watch out that too.

    Regards, Philippe

    Thursday, February 06, 2014 2:16 AM
  • That has most of my issue solved, however the "owner of the machine", say Dorris on PC002, can still browse John's files that have now cached themselves after he logged on. Since she's a local admin. Would be great to allow the users to install software WITHOUT giving them total local admin access. Is this possible?
    Thursday, February 06, 2014 4:01 AM
  • Make the user work on the network share with desktop/my documents redirected and your solution will be good. The goal is to have no user save locally

    Regards, Philippe

    Thursday, February 06, 2014 4:23 AM
  • Thank you for replying - are you implying that there is no way to grant installation rights without local administration rights?
    Sunday, February 09, 2014 10:51 PM
  • Hi Hamish,

    As Yagmoth555 suggested and as far as I know, in Active Directory for standard users to install software, we must give them local admin rights.

    Best regards,

    Frank Shen 

    Monday, February 10, 2014 10:43 AM