07-10-2012, 09:26 PM
Using Group Policy to set a user or group as a local administrator on client PCs in a Windows domain
A quick guide on using Group Policy and Restricted groups to put users in the local Administrators group.
This is good if somebody needs to have Administrator rights to Install software while keeping them out of the domain admins group.
1) Create a new Security Group in AD, name it appropriately such as LocalAdmins and add whoever you want to be a local admin.
2a) Open Group Policy Management Console
b) Right click on the OU containing computers.
c) Click Create a GPO in this domain, and link it here.
d) Name it appropriately such as "LocalAdmins"
e) You should see the policy in the tree now.
3a) Right click "LocalAdmin" policy and select Edit...
b) Expand Computer configuration\Windows Settings\Security Settings\Restricted Groups
c) In the Right pane of Restricted Groups, Right click and hit "Add Group..."
d) Browse and select LocalAdmins.
e) Click Add under "This group is a member of:" and add the "Administrators" Group.
Wait 15 minutes, or log on to a PC and type gpupdate /force and check the local administrators group. You should see LocalAdmins in the group now.
Notes
Be sure to link the GPO to an OU containing client computers and not at domain level as that would apply it to servers as well.
Restricted Groups is designed specifically to work with Local Groups.
APPLIES TO: Microsoft Windows 2000 Server, 2003, 2008 and 2011