question

Milty-2632 avatar image
0 Votes"
Milty-2632 asked LimitlessTechnology-2700 answered

Assign active directory security group for limited access on Workstation

I have created a Security group on a 2019 server. I need to provide users in this group the ability to logon to a workstation add be able to add/remove applications and printers and run-as-administrator to allow an update on an application to run when launched.

I was thinking a Built-in security group may have this capability but I am not able to find one that meets my needs. I can create a GPO(s) for this group but I am struggling with the permissions to set to achieve the needed capabilities on the workstation.

Any advise will be appreciated or an alternate method to achieve this.

Thanks,

Milty

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello

Thank you for your question and reaching out.

I can understand you wish to give Local Admin to Workstation for Normal users.

Adding AD users to the local administrators group on multiple computers is simple using Group Policy. In this post I’ll describe the process.

Create a fresh group policy object (GPO) and link it to a test Organization Unit (OU). Add a test server to the OU.

Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.

RestrictedGroups1

Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.

RestrictedGroups2

The second method allows you to add an AD security group to the local administrators group. This process is additive and users and groups that are currently in the local administrators group are untouched.

Navigate to Restricted Groups as previous, right click and choose Add Group. This time enter the name of the AD security group you wish to add to the local administrators group. Click Ok and on the next screen in the “This group is a member of:” section click Add. Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes. You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.