How to make a VPN domain user permanent local admin

[Hassing]

Hi there!

[first post]

One of my remote users was a admin and due to a destructive policy he as user is not part of Administrator list anymore.

I created a new policy and made him part of a "laptop-admin" group. This group is part of the Local administrators group in Windows XP.

Perfect as long as my remote user is connected with VPN to our domain.
To make the rights effective he needs to reboot.

After the reboot, the vpn connection is broken, the "laptop-admin" group is only visable as SID-code. So, my user is not a administrator on his local machine.

- how can I make this remote user part of the local administrator group without given my administrator account (domain or local).

I want him a permament admin, connected and offline.

Please advise me.

best regards, Bart

[vprasad84]

Hi,

I hope the username created in the domain for this particular user is a standard user. Firstofall have you joined the laptop to the domain. If no then first please join the laptop to the domain by connecting vpn using a domain admin user & joining the laptop to the domain. or you can join the laptop to the domain using the lan itself provided the laptop is available in the lan.

Once the laptop is joined to the domain. Reebot the laptop & connect again to the vpn using domain admin user. When VPN is connected in laptop, right click my computer, click on manage, click on local users & groups, double click on the group 'administrators' click on add & add the domain user to this group. This will ensure that the domain user on this laptop would be admin but would be a standard user in the domain.

Once the domain user is added to the local administrators group of laptop, login with the username multiple times so as the laptop would cache the user login & would then allow even if the domain is not available when the user is not connected to vpn.

[Hassing]

- yes the pc is joined in the domain
- so the profile is Domain\username

- I want to fix it with a policy because more computers could need this fix
- policy + gpupdate from client side
- I don't want to do it by hand, (make an administrative login, start vpn, add the user to the admin group, logout)

- The policy works, I have my new groups in the list (containing the users)
- these groups won't work after a disconnect from the network (laptops!!)

Suggestions??