GPO: User domain as a local administrator

A user domain is a regular user who is used in everyday work to break into a computer and do normal work. These users do not have special permissions that have the potential to cause damage or loss of data. These accounts are usually members of the Domain Users security group.

Under certain conditions, these limitations are very troublesome. Like when they want to install a printer or application on the computer they are using, they (user domain) do not have permission to do so.

To make a user domain a local administrator, we can use GPO (Group Policy Objects) on the Domain Controller. For how to create a Domain Controller, you can see in Windows Server 2019 Promotion as Domain Controller.

The steps to make a user domain as a local administrator with GPO are as follows.

A. Create a Security Group

1. From Server Manager >> Dashboard, click Tools and select Active Directory Users and Computers.

2. Next up, create a security group. Click Users, then right-click and select New and then select Group

3. Then give the group a name, such as Local Admin and then click the OK button.

4. Add members by double clicking Local Admin,then selecting the Members tab and clicking the Addbutton. Next add users who will get permission as local administrators on the computer they use, for example we add User Test 01 and User Test 02. Then click the OK button.

B. Creating GPO (Group Policy Objects)

1. From Server Manager >> Dashboard, click Tools and select Group Policy Management.

2. Right-click on Group Policy Objects, then select New.

3. Create a GPO name, e.g. Local Admin GPO.

4. Right-click Local Admin GPO (GPO Name in step 3), then select Edit.

5. Right-click Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups, and select Add Group.

6. Then click Browse and add a previously created user security group (Local Admin) and click OK twice.

7. Next click Add on This group is a member of: and click Browse and add Administrator and Remote Desktop Users Group. What you need to pay attention to when adding a group is that the group must exist and match the local group on the target computer. For example, if you add “Admins”, then on the local target computer group there should be a group with the name “Admins” as well.

8. Reopen Group Policy Management. Right-click the domain name (bardimin.local) and select Link an Existing GPO.

9. Select Local Admin GPO and click OK.

10. Sign in on a PC that is incorporated in a domain with the user you created in the rare Security Group 4 above. Open the CMD and run the gpupdate /forcecommand. Check if the user already has the authority as an administrator on the PC.