local workstation admin account

[Brent]

I want to create a network user account in Active Directory that will grant
the user local admin rights to the network workstation however, I do not
want that account to have admin rights to the servers/network. How can I do
this in a way without having to create the user account locally on all the
1400+ workstations we have? The account will be for a part time technician
that will be working on workstations to do things like to install software
and hardware on the local workstation. I understand that the Domain Admin
group will give the user admin rights to computers in the network but I
assume it also includes the servers and DC's and the built-in Administrators
groups would give the user admin rights to the server too.

Thanks

 

[ys@work]

See if this works for you:

How to Add a Master Domain Administrator Account to the Local Administrators
Group of a Resource Workstation
http://support.microsoft.com/?id=297307

 

[ys@work]

Hi,

Another easier mean instead of using the reskit utility is to use a script
and "net localgroup", like the following:
net localgroup administrators domain\user1 /add

 

[Brent]

Ok, so if I create a domain group such as PartTimeTech and make the user
account a member if that group I could use the Cusrmgr tool to make the
PartTimeTech domain group a member of the local administrators group of the
workstation?

Thanks,
Brent

 

[ys@work]

Yeap. I've just tested it. You could either use 'cusrmgr' to ran the command
remotely or as a script or 'net local group' on the local machines. Both
should work.

Example:
Global Group Name: "WorkstationsAdmins"
Workstation Name: "WS1"
Local Administrators Group Name: "Administrators"
Domain Netbios Name: "MyDomain"

Using 'cusrmgr' (can be executed remotely):
cusrmgr -m \\WS1 -alg Administrators -u WorkstationsAdmins

Using 'net localgroup' (must be executed on the workstation):
net localgroup Administrators MyDomain\WorkstationsAdmins /add