Local administrative rights to all computers in organizational unit
I need an easy way to give someone local administrative rights to all of the computers within an organizational unit. What are my options (with as many specific details regarding the steps as possible)?
The best way to provide local administrator access is to add the users to the local administrators account on the workstations. One way to do this in a fairly automated fashion would be:
- Create a Domain Global Group that represents the administrators for the OU
- Create a logon script that checks and adds the administrators for the OU to the local administrators group of the workstation (this will require that the local users are administrators or the use of an account that has administrative access already like someone in Domain Admins)
- Create a group policy that assigns this specific logon script and assign it to the OU
- To provide particular people administrative access to the machines in the OU you only need to add them to the group you created in step one.
If you have multiple OU's that you want to perform this action for and as well corresponding sets of administrators, you will end up with multiple groups, logon scripts and group policies. A little more effort and you could likely incorporate all of the changes into a single logon script.
Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.
This was first published in December 2004