How to give local admin rights and Remote Desktop (on a specific machine only ) to a domain user

Question

Hi, I want to give user in AD local Admin right and remote desktop access. But the specific user allow to specific machine and not on all machines in AD. for Example: The "user1" should have local admin right on only his machine named "test1" and can access per RDP only on his machine "test1"

I have to mention that we have many users and machines

for example: users: user2,user3,user4 and... machines: test2,test3,test4 and... It means user1 allow to connect RDP only on machine test1 and not on test2,test3,test4 machines, the same for local admin

But I don't want to create for each machine and user a GPO. And don't want to use "Restricted Groups" As I know we can use the "local Users and Groups" on the Windows Settings--->Control Panel Settings--->Local Users and Groups and then "New Group" -->"Remote Desktop Users (built-in)" or "Administrators (built-in)" I know we can use "%ComputerName%" for Admin and RDP.

Where and how add the machines and users for RDP and Local Admin on GPO?

How can I set on my AD? Regards

Answer 1

Hi @PerserPolis-1732

There is an option through group policy preferences GPP you can use it . This solution is based on environment variables to find groups or users to be added in the local administrators group based on computer name %computername%.

For more details please refer to the following article: https://blog.jonasdahlgren.se/2022/03/14/gpo-and-local-administrator-group/

If you cannot use this option, unfortunately you have to add them one by one in group policy preferences and use items targeting option.

**Please don’t forget to accept helpful answer.

Answer 2

Hello,

Maybe you can use a powershell script to do the job. You can change the variable so it can apply to all the users. Here's aexamplee :

Define the username to be added to the local administrators group and remote desktop users' group

$user = "test1" $computerName = "testpc"

Add the user to the local administrators group

$group = [ADSI]"WinNT://$computerName/Administrators,group" $userObj = [ADSI]"WinNT://$computerName/$user,user" $group.Add($userObj.Path)

Add the user to the Remote Desktop Users group

$rdGroup = [ADSI]"WinNT://$computerName/Remote Desktop Users,group" $rdGroup.Add($userObj.Path)

Optional: Display a message indicating the completion of the operation

Write-Host "User $user has been added to the local administrators group and remote desktop users group on $computerName."

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Hi,

First you need to have remote access to those test machines so you can connect remotely and add locally the users to local groups. If you add them to Administrators there is no need to add to Remote Desktop Users. You can take the example that was indicated by @Karlie Weng and put it in a script to loop through each machine. You can use the Invoke-Command cmdlet to execute commands on the remote machines and alternatively, depending on the version you can use Add-LocalGroupMember to add the user to the group.

Before proceeding, ensure that:

• PowerShell Remoting is enabled on the target computers (Enable-PSRemoting -Force on each target machine).
• You have the necessary administrative privileges on the target computers.
• The account you're using to run the script has permission to add users to the local Administrators group on the remote computers.

Here is a basic script example. Replace DOMAIN\User with the actual domain and username you want to add, and update the $computers array with the hostnames of the computers you wish to target.

# Define the list of computers you want to connect to
$computers = @('ComputerName1', 'ComputerName2') # Add more as needed

# Define the domain user you want to add to the local Administrators group
$domainUser = "DOMAIN\User"

# Loop through each computer and add the domain user to the local Administrators group
foreach ($computer in $computers) {
    try {
        Invoke-Command -ComputerName $computer -ScriptBlock {
            param($user)
            Add-LocalGroupMember -Group "Administrators" -Member $user
        } -ArgumentList $domainUser
        Write-Host "Successfully added $domainUser to the Administrators group on $computer."
    } catch {
        Write-Error "Failed to add $domainUser to the Administrators group on $computer. Error: $_"
    }
}

Answer 4

GPOs are useful for applying a set of configuration to one or more target computers. According to you and what you want to do, it would require 1 GPO for each user to target 1 machine. The alternative solution was to run a script from a central location, say your domain controller, and the script would connect remotely to the computers to update the local administrator. The only catch is that it needs PS remoting enabled and the machines available and online at the same time while the script is running. Here is another solution for you. You create a file containing the mappings (user1-comp1,user2-comp2,etc.) and place it in a share where and secure the ACL. Create a GPO with a startup script that connects to the share, reads the content of the file, matches the current computer name from the list and adds the corresponding user to the local admin. This way it will apply to machines whenever they start up. Here is the documentation to implement startup scripts: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789196(v=ws.11) So now you have a solution to implement via GPO.