AD: Local admin without domain admin

Discussion in 'OT Technology' started by iamclarke, Apr 18, 2006.

  1. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    Is there anyway to make an active directory user a local administrator on a group of computers in an OU (or an entire domain for that matter), without having domain/enterprise administrator rights? I've been searching and I can't find any policies or anything to do what I want.

    There has to be some way to do it. Come on AD experts..... :x:
     
  2. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    All domain accounts must have permissions that apply to the domain. That is, you couldn't make a domain user a non-domain administrator, or a non-domain anything for that matter. If that's not what you're asking, then I don't understand your question. Please clarify if so.
     
  3. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,362
    Likes Received:
    8
    Location:
    San Diego
    Gpo

    wtf is up with the auto cap's correction...
     
  4. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    OK let me clarify.

    Say I have computer1 that is on the domain. I have Joe User "userj" as a normal domain user. I want to userj to become a local administrator on computer1. I do not want userj to be a domain admin. I want to accomplish this in AD rather than on the local computer because IRL i have 100+ computers that I need "userj" to be local admin on, without granting him domain admin privelages.
     
  5. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Accounts cannot span multiple domains, to my knowledge. (count LOCAL as a single-computer domain in this context.) The only thing I can suggest is to give "userj" the password to the built-in local administrator account and have "userj" do their administrating that way.
     
    Last edited: Apr 18, 2006
  6. Yep

    Yep Knick knack paddy whack, give the old dog a bone

    Joined:
    Jan 22, 2001
    Messages:
    4,603
    Likes Received:
    0
    Location:
    South Jersey
    Why not just add him to each machine as a local admin?

    This could probably be accomplished with a simple VBscript run by a domain admin.
     
  7. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    I don't know any VBscript. I just figured out how to do it using restricted groups though. Thanks anyways.
     
  8. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Create a domain group called "Local Admins" or something, then add that group to the local admin group on each machine. You can write a VBScript pretty easy to do the additions if you have a large number of machines. You can also use a GPO to add the group but be sure you understand how it works (restricted groups in the machine policy section of the GPO).

    Finally add the user to the "Local Admins" domain group you created.
     
  9. borborygmus

    borborygmus Guest

    just add the domain user to the local admin group and your problem is solved
     
  10. RunDMT

    RunDMT OT Supporter

    Joined:
    Jun 26, 2003
    Messages:
    867
    Likes Received:
    0
    Location:
    Two Rivers, AK
    I do it with GPO. Create a security group for the OU and call it "OU Local Admins" or something.

    I just added this to the startup script for the OU GPO:

     
  11. XR250rdr

    XR250rdr OT Supporter

    Joined:
    Mar 1, 2004
    Messages:
    24,479
    Likes Received:
    21
    Location:
    Ca
    I use the restricted groups method with GPO.
     
  12. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    That's what I do :wiggle:
     
  13. XR250rdr

    XR250rdr OT Supporter

    Joined:
    Mar 1, 2004
    Messages:
    24,479
    Likes Received:
    21
    Location:
    Ca
    That really sucks to 100 times though. This is why group policy was invented.:)
     
  14. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    No, that's why ghost was invented :p
     
  15. borborygmus

    borborygmus Guest

    how is ghost going to solve this problem? :hsughno:
     
  16. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    Figured out how to use restricted groups and it works great. I didnt know about you had to fucking double reboot on the clients for it to take effect though... that threw me off for a while.
     
  17. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Because every image I do has domain users as part of the local admin group.
     
  18. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    :werd: This is how its done. Iv done it this way for awhile. but only do it for one OU. Since if you do it for the Default Domain Policy he will have admin rights on every system in AD...
     
  19. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    Hmm well one of my co-workers thinks it is possible to use the "net add" command to add a user to the administrators group in a startup script. It doesn't seem to be working though. Getting an access denied error. It seems weird that access is being denied in a group policy defined, domain wide, startup script. Anyone have any ideas as to why we are getting "Access denied"???
     
  20. XR250rdr

    XR250rdr OT Supporter

    Joined:
    Mar 1, 2004
    Messages:
    24,479
    Likes Received:
    21
    Location:
    Ca
    Thats maybe useful if you have a unified image for your entire department and if you want to go around and image every system. Plus that makes every user in the domain a local admin of every box.

    Restricted groups takes 5 minutes and its done.
     
  21. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    If this is just one PC remotely manage the system and add him to the admin group on the local pc....
     
  22. iamclarke

    iamclarke OT Supporter

    Joined:
    Sep 21, 2002
    Messages:
    153
    Likes Received:
    0
    This is for about 60-70 PC's.
     
  23. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    then moving the PC's in to one OU and useing group policy is your best bet..IMO
     

Share This Page