adding domain users automatically to the local admin group

**The Shadow** · 06-06-2011

I have a windows server 2003 domain controller, and I want all of the users in a certain OU to have local administrator privileges on the client computers, so that they can install programs such as MS Office. Yes, I do know that the users already have the rights to install programs such as Chrome, and Fire Fox. I also know that the domain users can't add themselves to the local admin group.

I've read this post and I've tried both the logon and I've tried the Restricted Group trick via a GPO, and sadly neither one has worked.

All of the client computers have the same local username and password that is a member of the local admin group (in my case it's superuser). Is there a logon script out there that can add the domain users to the local admin group using the superuser account and password?

I am also looking to upgrade the windows server 2003 to 2008, is there a new GPO option that will allow me to do this?

Thanks in advance!

**JAMES_911** · 07-06-2011

Well, you can easily do this with Group Policy. Create att policy in active directory and link it to the OU containing your computer accounts. Edit the policy. Under computer configuration, security, restricted groups, you can add a domain group to the local administrators group. The GPO is great if you can use it, but the group membership GPO forces the members to be only the ones in the list -- you cannot have any "extra" administrators unless they are in a separate OU.

**The Shadow** · 07-06-2011

I've tried doing with a GPO, but it doesn't work. I made a screen recording of myself trying to set it up via GPO. Doing it via GPO would definitly be the ideal way of doing things.

Here is the video, please let me know what I am doing wrong.

**EINSTEIN_007** · 07-06-2011

Can you try to go into the Machine Policy for the OU in question, browse down to security settings, and then to Restricted Groups. Create a Restricted Group called Administrators, and then add all the groups/users you want to have in the local admins group. Give the machines 90 minutes or so, and they will refresh and set their local admins membership to whatever you specified.