How to edit group policy objects to give a user local admin rights

Giving a user local admin rights to his or her computer alone can be a tricky prospect. In this expert answer, Mike Chapple explains what Group Policy objects can and can't do to make this happen.

University of Notre Dame

I want to be able to give a user rights (power user or admin) to his or her local computer and only his or her local computer. Can this be accomplished through Group Policy objects? If so, would it require a policy for each computer?

I've wanted to accomplish exactly the same thing in several organizations I've worked with, and, unfortunately,...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

there isn't a good solution. You're left with several options, each of which isn't wholly satisfying:

Add all users to the administrators group on every machine in your domain. This obviously raises security concerns as every user now has admin control over every computer.
Create separate policies for each user in the organization. This is not a scalable solution!
Use a middle-ground solution that divides computers into Active Directory Organizational Units (OUs) and assigns rights based upon OU membership. You'll still have the same security concerns as the first option, but it's a little more workable, as an individual's admin rights are limited to systems in the OU.

Let's all hope that Microsoft does something to address this in a future version of Group Policy!

For more information:

Do the Group Policy Object and 'Password Never Expires' flag interact? Read more.
Learn about the pros and cons of using stand-alone authentication that is not Active Directory-based.

This was last published in July 2009

Related Q&A from Mike Chapple

How to prevent DoS attacks in the enterprise

It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading

How should HIPAA covered entities respond to healthcare ransomware?

The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading

Should healthcare organizations follow the NIST guidelines for HIPAA?

HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Related Resources

Dig Deeper on Active Directory security

Related Q&A from Mike Chapple

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.