GPO: User domain as a local administrator

A user domain is a regular user who is used in everyday work to break into a computer and do normal work. These users do not have special permissions that have the potential to cause damage or loss of data. These accounts are usually members of the Domain Users security group.

Under certain conditions, these limitations are very troublesome. Like when they want to install a printer or application on the computer they are using, they (user domain) do not have permission to do so.

To make a user domain a local administrator, we can use GPO (Group Policy Objects) on the Domain Controller. For how to create a Domain Controller, you can see in Windows Server 2019 Promotion as Domain Controller.

TOP TUTORIALS:  Easy Ways to Create Shortcuts on the Desktop in Windows 11

The steps to make a user domain as a local administrator with GPO are as follows.

A. Create a Security Group

  1. From Server Manager >> Dashboard, click Tools and select Active Directory Users and Computers.
security group 01
  1. Next up, create a security group. Click Users, then right-click and select New and then select Group
  1. Then give the group a name, such as Local Admin and then click the OK button.
security group 03
  1. Add members by double clicking Local Admin,then selecting the Members tab and clicking the Addbutton. Next add users who will get permission as local administrators on the computer they use, for example we add User Test 01 and User Test 02. Then click the OK button.
TOP TUTORIALS:  How to Install Chrome OS on a VMWare Virtual Machine
security group 04

B. Creating GPO (Group Policy Objects)

  1. From Server Manager >> Dashboard, click Tools and select Group Policy Management.
gpo user domain to local admin 01
  1. Right-click on Group Policy Objects, then select New.
gpo user domain to local admin 02
  1. Create a GPO name, e.g. Local Admin GPO.
  1. Right-click Local Admin GPO (GPO Name in step 3), then select Edit.
gpo user domain to local admin 04
  1. Right-click Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups, and select Add Group.
gpo user domain to local admin 05
  1. Then click Browse and add a previously created user security group (Local Admin) and click OK twice.
gpo user domain to local admin 06
  1. Next click Add on This group is a member of: and click Browse and add Administrator and Remote Desktop Users Group. What you need to pay attention to when adding a group is that the group must exist and match the local group on the target computer. For example, if you add “Admins”, then on the local target computer group there should be a group with the name “Admins” as well.
TOP TUTORIALS:  How to Enable or Disable Fullscreen Optimizations in Windows 11
gpo user domain to local admin 07
  1. Reopen Group Policy Management. Right-click the domain name (bardimin.local) and select Link an Existing GPO.
gpo user domain to local admin 08
  1. Select Local Admin GPO and click OK.
gpo user domain to local admin 09
  1. Sign in on a PC that is incorporated in a domain with the user you created in the rare Security Group 4 above. Open the CMD and run the gpupdate /forcecommand. Check if the user already has the authority as an administrator on the PC.