This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 94%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have created a Security group on a 2019 server. I need to provide users in this group the ability to logon to a workstation add be able to add/remove applications and printers and run-as-administrator to allow an update on an application to run when launched.
I was thinking a Built-in security group may have this capability but I am not able to find one that meets my needs. I can create a GPO(s) for this group but I am struggling with the permissions to set to achieve the needed capabilities on the workstation.
Any advise will be appreciated or an alternate method to achieve this.
Thanks,
Milty
Hello
Thank you for your question and reaching out.
I can understand you wish to give Local Admin to Workstation for Normal users.
Adding AD users to the local administrators group on multiple computers is simple using Group Policy. In this post I’ll describe the process.
Create a fresh group policy object (GPO) and link it to a test Organization Unit (OU). Add a test server to the OU.
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
RestrictedGroups1
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.
RestrictedGroups2
The second method allows you to add an AD security group to the local administrators group. This process is additive and users and groups that are currently in the local administrators group are untouched.
Navigate to Restricted Groups as previous, right click and choose Add Group. This time enter the name of the AD security group you wish to add to the local administrators group. Click Ok and on the next screen in the “This group is a member of:” section click Add. Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes. You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.
--If the reply is helpful, please Upvote and Accept as answer--