Problem solve
Get help with specific problems with your technologies, process and projects.
How to grant local admin rights with Global Policy Objects
When granting local admin rights, it's important to do it securely. Learn how to use Global Policy Objects and global security groups to do it correctly.
Do you think the following scenario would be a secure, viable option for providing local admin rights? I'm considering creating a domain global security group that includes users that need local admin rights. I would then create a GPO with a login script that is assigned to this group (not to an OU ). The script would then link the domain global security group to the local administrator group of the user's computer. Do you think this would work? Do you think some variation on this might be more secure?
I can see by your question you've taken the time to think about how to leverage group policies in order to grant local admin access rights. I don't see anything wrong with your scenario.
I think what makes this work is the use of the Global Policy Object (GPO). The purpose of GPOs is to get around the fact that various users with similar access requirements may not be in the same Organizational Unit (OU) in the directory. As you stated, once you set up a domain global security group to the GPO, it can then be linked to sites, domains and OUs containing the administrator user objects. The GPO script would then be linked to the local administrator group of the user's computer. It makes perfect sense.
For more information:
- How do group policy objects and the 'Password Never Expires' flag interact? Read more.
- Learn more about using batch files for temporary local admin rights.
This was last published in February 2010
