Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Live Webinar Coming Soon

Live Webinar Coming Soon

Deep Dive: How to Migrate Native GPOs to Microsoft Intune
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference

Home

Active Directory

Manage Workstations Without Domain Admin Rights

Author avatar - Russell Smith

Russell Smith

 |

Jul 9, 2013

How can I manage workstations if I don’t have domain administrator rights?

It’s common that IT staff are given domain administrator rights for a number of reasons, one being that it’s a convenient way to log on to workstations with local administrator privileges. But from a security standpoint, giving high-level access to Active Directory (AD) for the sake of an easy life, puts your IT infrastructure at risk.

Create an AD group for workstation management

First we need to create a management group in Active Directory for users who will have rights to log on to workstations with administrative privileges.

advertisment

  • Log on to Windows Server 2012 with a user account that has rights to create AD users and groups, and create Group Policy Objects (GPO).
  • Open Server Manager from the icon on the desktop Taskbar or from the Start screen.
  • Select Active Directory Users and Computers from the Tools menu.
  • In the Active Directory Users and Computers MMC, right-click the Users container in the left pane, and select New > Group from the menu.
  • In the New Object dialog box, name the group “Workstation Administrators” and click OK.
  • Make sure the Users container is selected in the left pane of the AD Users and Computers MMC and double-click the new group in the right pane. Switch to the Members tab in the properties dialog box and click Add.
  • In the selection dialog box, add any user accounts that you want to give administrative access to workstations and click OK.
  • Click OK in the properties dialog box.

Add the new AD group to the local Administrators group

Now I’m going to create a GPO to add the new AD group to the local Administrators group on all my workstations. I recommend that you create a separate Organizational Unit (OU) for your workstation computer accounts. While it’s possible to apply Group Policy to computer objects in the default Computers container, it would mean linking the GPO to the domain and filtering out domain controllers and member servers.

  • Open Group Policy Management (GPMC) from the Tools menu in Server Manager.
  • In the left pane of GPMC, expand your domain, right-click your workstations OU, and select Create a GPO in this domain, and Link it here from the menu.
  • Call the new GPO “Workstation Administrators” and click OK.
  • Expand your workstations OU, right-click the new Workstation Administrators GPO and select Edit from the menu.
  • In the Group Policy Management Editor window, expand Computer Configuration and Preferences.
  • Under Control Panel Settings, right-click Local Users and Groups, and select New > Local Group from the menu.
  • In the New Local Group Properties window, click the arrow to the left of Group name: and select Administrators (built-in) from the menu. Click Add.

Using Group Policy Preferences to manage the local Administrators group

  • In the Local Group Member dialog, click the box to the right of Name:.
  • Type Workstation Administrators in the selection box and click OK.
  • Click OK in the Local Member Group dialog and again in the properties dialog.
  • Close the Group Policy Management Editor window.

The next time Group Policy applies to computers in the workstations OU, the AD\Workstation Administrators group will be added to the local Administrators group, enabling IT administrators to manage workstations without domain admin privileges.

More from Russell Smith

This Week in IT Ep 19

Microsoft Takes on Rival Calendly with Outlook Bookings - Plus the Latest IT News Updates
Vertical tabs in Edge and Chrome

Find Open Tabs Faster in Chrome and Edge! - Plus IT News Update and Petri Spotlight
Windows Logo

What’s New with Windows – April 2022

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Active Directory

Network Security

How to Access Active Directory

May 17, 2022 | Michael Reinders

Cloud Computing

Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers

May 11, 2022 | Rabia Noureen

Network Security

Active Directory vs. Azure AD (and Other Identity Providers)

May 9, 2022 | Michael Taschler

Security

Apple Finally Discontinues Support for macOS Server App

Apr 25, 2022 | Rabia Noureen

Datacenter networking servers

Microsoft Issues New Guidance on Securing Domain Controllers

Apr 15, 2022 | Rabia Noureen

Datacenter networking servers

Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine

Apr 15, 2022 | Michael Taschler

Most popular on petri

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy