nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Placing a domain user in local admin. group

GaryLeung

Looking for some help here. Lets say a domain user wants to install an application on their machine which require admin. privileges. So I decide to place him/her in the local admin. group on his/her computer. How would I go about that? I read in other posts this could be done via GPO and Restricted groups. Can this be accomplished in any other way? For example on the client machine?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

gateway

GaryLeung wrote: »

Looking for some help here. Lets say a domain user wants to install an application on their machine which require admin. privileges. So I decide to place him/her in the local admin. group on his/her computer. How would I go about that? I read in other posts this could be done via GPO and Restricted groups. Can this be accomplished in any other way? For example on the client machine?

Ok, there are several options here. Firstly, is there any reason why you cannot perform the install for the user so they are not given the priviledges for too long? just a thought...

You can add them to the local administrators group (right click my computer, click manage, go to users and groups and add their domain/local account into the admins group)

Depending on how your AD is set up, we have a domain local admins group which is a member of local admins on all machines, so we could add users into that group instead so they have the rights on any pc they log into.

We also have a templocaladmins group in AD. We have created a vb script that clears users out of this group at 7pm each night, so we never leave staff in local admins and forget about them.

There are plenty of other ways too... runas etc

hope this helps

Devilsbane

Add the user to a group. Lets say the LAdmin group. Now on the local machine, add this group as a member to the administrators group.

If every user needs local admin rights, then just add the domain user group to the administrator group on each client. Once you have implemented either of these policies, adding this new setting to your os image should be easy.

You can also use scripts to add this to the current machines.