Automatically add AD users to local Administratores Group

windows active-directory

I am trying to setup an AD domain and I have certain users that need some "power" privileges for installing software on their own machine (and on their own machine only).

I am thinking about creating a users group called Power Users, add the users I want to be eligible, but I am missing how to apply this only on their own computers.

I don't want that they are local Administrators, when they are loggin on other users computers.


Solution 1:

For this scenario I would recommend you implement the free Microsoft Local Administrator Password Solution (LAPS).

The key benefit would be having the password of your SID-500 local administrator account (or another local account of your choosing) managed and synched with Active Directory. Some recommend you deploy policy to disable the SID-500 account and use a GPO preference to create a new local admin user and let LAPS manage that password.

You can then decide how you want to allow users to access this password. They can call up a helpdesk to receive it when needed or you can give their user account read access to the LAPS password attribute on their assigned AD computer object. With the latter you could even write a small script that retrieves the password and elevates a shell for the user.

You would want to implement a user rights assignment policy to deny local administrator accounts access over the network to ensure this cannot be abused over the network. It ensures local admin accounts can only be used at the console. You should be doing all remote administration using a privileged domain account. There's a whole other discussion on auditing and change control for LAPS account usage, but LAPS seems to be the most secure way to give out local admin access and have the password updated automatically and securely.

Solution 2:

I have found the easiest alternative way to achieve this configuration on a domain network.

  1. As you said you can create the Power User Group and you can assign those users to the group.
  2. You can assign user login restrictions by assigning a specific computer name under AD user properties-> Account-> LogonTo-> Click on Following Computers-> and type enduser computer name. Refer attached screenshot.https://i.stack.imgur.com/QrRa2.jpg

Related

Passing arguments to nagios plugin
CentOS 7 Router/DHCP Server: Second NIC adapter plugged in but not sending internet through the cable
Is `zfs destroy fs@snapshot`, a blocking 'stop the world' operation?
Extending disk space after replacing the disks with new / larger ones
Nginx $upsteam_cache_status custom header will not appear
Block Users from Installing programs with Azure AD joined Devices
Do I need 2 virtual hosts for both www.example.com and just example.com?
cannot access some ports even with firewall disabled
Registered domain using Route 53, using Cloudflare for DNS, having problems configuring DNS correctly
Unlock GPO enabled "Lock all taskbars" on one PC
X509 certificates - Are there any naming conventions?
pcs creating cluster fails because of unknown hosts