Local Administrator

[Arsen]

I need a group in AD that will give the user who is a
member of that group, administrative right to only the
computer they are logged into. (Local Administrator). I
have tried to use some type of a GPO's but have not yet
succeeded. Can anyone help?

 

[Arsen]

Oh, the user should not have right to change anything in
the AD, or in the network related to Win2K servers

 

[Herb Martin]

Oh, the user should not have right to change anything in
the AD, or in the network related to Win2K servers

We went though this recently and the "obvious" answer may not be
possible:

Use a "restricted Group" from a GPO.

The practical problem is that when setting up the restricted group on the
domain, there doesn't seem to be a way to even SEE the local Administrators
group. Several of us thought this was possible, but to my knowledge no one
has provided a SPECIFIC method to accomplish the task.

Note: This may just be a "GUI smart" issue (e.g., right-click, select,
choose, etc.)
but so far no one is that (GUI) smart.

[/QUOTE]

 

[Dominic Wyss]

put the new group into the local administrator group.

create a startup script which does a "net localgroup add",
so you don't have to do this membership manually on each pc.