Associate
Hi
I want to make one user a local admin but only on one PC. How do I do this via GPO?
I want to make one user a local admin but only on one PC. How do I do this via GPO?
local admin via gpo
- Thread starter Ish
- Start date
Soldato
Add the computer into the security filtering and take out all computers in the GPO. Also filter the user component to a security group and only filter it on that security group, should work fine.
Associate
We use the "managed by" field in Active Directory computer account (also helps with auditing whos re-newed admin rights)
+1 this.
Restrictive groups with a filtered GPO applying to that one machine.
Thanks. I will give it a try.
It's a bit more work but a more useful long-term solution is to create a group in AD called something like Local_Admin_PCName, then add that to the PCName\Administrators local group. This makes it easy to manage centrally and allows more than one local admin. For instance, most PCs might have a group called Tech_Support_Staff as a member.
Soldato
Just to build on this
I was gonna write a quick guide but this is far better and i couldnt quite get my wording legible!
http://www.pwrusr.com/system-administration/how-to-setup-per-computer-local-admins-on-a-domain
But you may want to reconsider.
With the whole poop show that is cyber-essentials, gdpr etc we cant just give users admin access, privileged accounts now have to be a separate account so we use LAPS that dynamically changes the local admin password so we give that out to allow them to do what they need then expire the password.