Local administrator as default choice when in domain

Some of our users do some basic management of their Windows computers.
Their accounts are regular users, and they have a local administrator to perform whatever their like: install some crapware, destroy printer settings, allow viruses to take solid ground, etc (I heard some of them act responsibly, but I think this is a local urban legend).
 

Case 1

  • a Windows computer in a workgroup
  • only one local administrator, named "local_admin"

When a regular user needs to enter an admin credential, the popup is filled with "local_admin" and the user just has to enter the password.

➞ perfect
 


Case 2

  • a Windows computer in a workgroup
  • one local administrator named "local_admin 1"
  • one local administrator named "local_admin 2"

When a regular user needs to enter an admin credential, the popup is empty and the user has to enter the "local_admin x" and the password.

➞ how can we pre-fill with "local_admin 1" ?  


Case 3 (the one wich we have)

  • a Windows computer in a domain named "company_domain"
  • the computer's name is "local_name"
  • only one local administrator, named "local_admin" (but I think this is exactly the same thing if their are several)

When a regular user needs to enter an admin credential, the popup is empty BUT the domain is pre-filled with "company_domain". So the user has to enter the user "local_name\local_admin" and the password, which is not convenient because they have to remember/note it most of the time along with the password on a Post-it.

➞ how to pre-fill the local computer's name in place of the domain name, or pre-fill the complete local admin name "local_name\local_admin" ?

We currently create one Active Directory admin_name for each of those users, then configure their computer to put this admin_name into the local admin group (we could alternatively do it from Active Directory).
This method is prone to errors, then leads to problematic admins privileges leaks.


Solution 1:

I think this will answer Case 3 for you.

Run the local group policy editor as Administrator on the user's computer. In Group Policy go to Local Computer Policy\Computer Configuration\Admin templates\Windows Components\Credential User interface.

Right Click "Enumerate administrator accounts on elevation", click "Edit". The configuration window opens. Choose "Enabled" for this setting. "If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password." Choose "Enabled", click "OK" then exit local Group Policy editor.

Whats nice is the prompt will remember the last authenticated local admin account. So the user will only need to put in their local admin password at the next UAC prompt. The local administrators are listed in alphabetical order (tested on Windows 8.1 pro).

Solution 2:

This is the exact scenario Microsoft designed User Account Control for. Just make their personal account a local admin. They get a UAC prompt and click Yes. No typing required. http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7