Manage Local Admin. with GPO?

[Guest]

It's the age old issue of laptop users wanting/needing admin. priveleges to
the local computer. We support a couple hundred laptops and have granted them
admin priveleges until recently. We have several developers that have a
business need to install/modify software on their laptops. At the moment we
create a local account and put it in the admin group. They use the "run as"
feature and can work on. The problem, as always, is keeping track of these.
We'd rather not keep a spreadsheet with the info, that doesn't get updated.
I'm wondering if there's a way to do this via GPO? The users will only need
admin access to their laptop, they don't roam.

 

[Steven L Umbach]

If you don't mind those users being administrators on every other developers
computer also you could try using Group Policy Restricted Groups. Create a
group called developers or whatever with the proper domain users and use
Restricted Groups to add that group to the local administrators group on the
laptops that would need to be in their own OU that has the Group Policy with
Restricted Groups applied to it.

Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html --
Restricted Groups