No announcement yet.

Local Admin rights

  • Filter
  • Time
  • Show
Clear All
new posts

  • Local Admin rights

    Hi friends,

    I want to provide local admin rights to some of our users from can I?
    I tried it with a security group ,but with this they will be administrators of each other's computers also which is not good.They should be administrator to only their computer.Can anyone help me?

  • #2
    Re: Local Admin rights

    Moved from Coffee Lounge to AD forum

    Restricted groups is the normal option but that, as you say, works with multiple computers. There may be third party tools, or maybe a script of some sort.

    You could look here:
    (but registration is required)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Local Admin rights

      Have you tried searching the Petri KB? htm

      I'm making an assumption you want to give specific users local admin to a single host... but you should be able to invoke Powershell to do this easily enough provided you have usernames and hostnames....
      Rules of life:
      1. Never do anything that requires thinking after 2:30 PM
      2. Simplicity is godliness
      3. Scale with extreme prejudice

      I occasionally post using a savantphone, so please don't laugh too hard at the typos...


      • #4
        Re: Local Admin rights

        Originally posted by sonoftipu View Post

        They should be administrator to only their computer
        step 1;
        Users must be associated with their a computer first.
        You can create a reference to the user in the properties of the computer object in Active directory. You can use either the "managedBy" attribute or the "manager" attribute for this.
        The "managedBy" attribute of the a computer object will be linked automatically with the "managedObjects" attribute of the user. Like "manager" and "directReports" also is a linked pair controlled by aduc.

        step 2;
        Create a script that; Reads the user name from the the computer object properties; And then adds this user to the local Administrators group.

        Here is an Powershell example:
        $Computer = $env:COMPUTERNAME
        $ManagedBy = ([adsisearcher]"name=$Computer").FindOne().Properties.managedby   # case sensitive
        if ($ManagedBy -ne $null) {
          # Start-Sleep -s 3  #
           # translate the distinguishedname to netbios name
           $DN = $ManagedBy
           $objTrans = New-Object -comObject "NameTranslate"
           $objNT = $objTrans.GetType()
           $objNT.InvokeMember("Init", "InvokeMethod", $Null, $objTrans, (3, $Null))
           $objNT.InvokeMember("Set", "InvokeMethod", $Null, $objTrans, (1, "$DN"))
           $UserAccount = $objNT.InvokeMember("Get", "InvokeMethod", $Null, $objTrans, 3)
           $Usr = $UserAccount -replace '\\','/'
           # requires elevated privileges!
           $Group = [ADSI]"WinNT://$Computer/Administrators,group"
        } else { "No manager was defined" }
        step 3; (the sample below is just one of many ways. I choose this, not-the-best way just to inspire)
        Now configure the GPO for the computers.
        1. Configure a new 'Scheduled task' (group policy preferences).
          • Configure the task for Vista or above.
          • runas an administrator
          • Action: Update
          • run whether user is logged on or not
          • run with the highest privileges. Run Hidden.
          • /Trigger: "At Startup"
          • /Actions: "Start a program" /Program: powershell.exe /Add arguments: -executionpolicy ByPass -file "path to the .ps1 file"

        2. Configure 'Local users and groups' (group policy preferences).
          • Local group name: Administrators (builtin).
          • Action: Update
          • Tick: Delete all members 'Users' and 'Groups'.
          Add: Domain admins group!!, and other members if needed.
          that will reset the local administrators group to default again every time the computer starts*). Even if it is OK a user stays a local admin forever on this computer, s/he might have tampered with the group.
        (The scheduled task runs by the time the group update is applied. But if not for some reason, then you could add a few seconds delay before the user will be added to the local group)

        Maybe you don't need the second group policy preference to clean up the local group (* the policy will be applied not only during startup but also multiple times during the day, and it will then remove the user from the group), it is also possible to have that done by the same script before it adds the user.
        Instead of creating a scheduled task to launch the script you could also run it as a startup script. The 'runas- user (when launched by the task schedular) or the Domain computers group and the System account should have acces and read permissions on the script. You need to be absolutely sure that the user can not tamper with the script.

        The sample script above is a powershell v.2+ script (*.ps1), but you can also do the same with a vbs script (*.vbs).

        Last edited by Rems; 27th June 2013, 16:12.

        This posting is provided "AS IS" with no warranties, and confers no rights.


        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts


        • #5
          Re: Local Admin rights

          Any reason you wouldn't use Preferences through group policy?