Make a user a local admin on their machine but not affect other machines

[FurBot]

Is there a way to make allow a user to be an administrator on their local
machine but not on other machines. Is this done through group policy and if
so can someone point me in the right direction?

Thanks in advance

Andy

 

[Marina Roos]

On the machine itself, Control Panel, Users and Groups, make the user a
member of the local Administrators-Group.

Marina

 

[Guest]

Yeah, sure.

On the local machine, add them to the local administrators group. This will
give them total control over their own machine, but only domain level
permissions on the network, and those computers connected to it.

Be careful though, if this particular machine has more than one user, adding
him or her to the Administrator group will allow access to all files for all
users on that one machine.

Rich

 

[FurBot]

Local user accounts dont apply because they are logging onto the domain not
the local machine. Im thinking its done through OU and group policy but im
not sure how to go about doing that.

 

[Oli Restorick [MVP]]

You're right that local accounts don't apply, but Richard was not suggesting
that.

He was suggesting that you add the user's DOMAIN account to the
administrators group on the LOCAL PC.

If you want to allow any user to be an administrator of a particular machine
only while logged in at the console, you could add the group called
INTERACTIVE to the administrators group. This will give admin access at the
local machine, but not over the network.

Bear in mind that you are allowing your users to look at and modify the
cached profile directories of other users if you do this. If Power User is
sufficient rights, use that instead.

The Group Policy feature you're thinking of is called Restricted Groups. Do
a search on support.microsoft.com for this and you'll find some good
articles.

Regards

Oli