Grant local admin rights on their PC to AD users

Omid Shojaee 101 Reputation points
2021-11-23T08:57:06.337+00:00

Hello,

Our domain controller is up and running but we haven't created any users yet.

We need to make sure each new user automatically has administrator rights on his/her PC.

How to achieve this?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,613 questions
No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Dave Patrick 329.3K Reputation points Microsoft MVP
    2021-11-23T13:53:18.327+00:00

    You can follow along here.
    http://woshub.com/add-domain-users-local-admin-group-gpo/

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    No comments

  2. Omid Shojaee 101 Reputation points
    2021-11-23T14:07:02.367+00:00

    Hello,

    What I asked for:

    1. Automatically.
    2. On his/her own PC only.

  3. Limitless Technology 37,316 Reputation points
    2021-11-23T19:34:35.173+00:00

    Hello @Omid Shojaee

    Restricted groups are one clean option in defining permissions granted through membership in machine local security groups.Domain members should be managed by the domain.

    Desktop Administrators as a group with local administrative permissions on client workstations. Use your Restricted Groups policy to add the Desktop Administrators and Domain Admins to the local Administrators group on however many workstation containers you have. Ideally your support staff (and yourself) don't use privileged accounts for normal desktop work - give everyone a separate account for desktop support that has membership in your Desktop Administrators group.

    For more details reference:

    User Account Control: Admin Approval Mode for the Built-in Administrator account
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account

    Active Directory Accounts
    https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts

    Hope this helps with your query!

    -----------

    --If the reply is helpful, please Upvote and Accept as answer--

    No comments

  4. BOURBITA Thameur 11,551 Reputation points Microsoft MVP
    2021-11-24T12:02:06.52+00:00

    Hi,

    There is no default solution let your adding user automatically in local administrator group.
    Some solutions exist through GPO to add group or a system administrator to perform maintenance task.

    Assign each user automatically local administrator right on his machine is not recommended approach.

    Please don't forget to marl helpful reply as answer

    No comments

  5. Omid Shojaee 101 Reputation points
    2021-11-26T14:47:54.457+00:00

    @Dave Patrick @Limitless Technology

    Hi,

    Thanks for your replies. I'm not in the office so I'll get back to you tomorrow.