Its best practice to have users not be administrators on thier PC’s. However, sometimes you need to make certain users administrators, maybe a program they use needs to run with administrator privileges or they are an owner who is tech savvy and wants to install programs themself. You can do this for each PC they use using netplwiz however this is very manual and slow. There is an easy way to do this with group policy, then when a user needs to be an admin on all pc’s they login to, you simply add them to a group you make on the server.

  1. Log in to the server and open “Active Directory Users and Computers”
  2. Create a global security group called “local admins”. Just a tip, I like to create a separate OU for my users and groups on my DC
  3. Right click on the group and select properties. Now under the Members tab add the users you would like to be Administrators on thier PCs to this group. Make sure you select “Check Names” after each name to ensure you have the correct user.
  4. Now open “Group Policy” and select the domain name, right click and select “create a GPO in this domain and link it here”, name it Local Admins
  5. Right click and edit this policy, go to Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  6. You will see Restricted Groups, right click and select “Add Group”, in the box that appears, select browse
  7. Enter your group name “local admins” and select check names. Select okay and okay again
  8. In the next window that appears, under the “This group is a member of” select add
  9. Select “Browse” and enter the group “Administrators” and “Remote Desktop Users” ensure to select “Check Names” to ensure you have the correct groups then select okay, then apply
  10. Now to test, go to a computer that has a user you added to the “local admin” group and log them out. After you log back in that user should have admin privileges on that PC