Make User Local Admin - But There's A Catch

[JEngles]

So were still running Windows XP in a 2003 AD enviroment and idealy we want to lock down the users to well just users. But due to dodgey programming or security reasons we need to add around 5% of users to a special group called LocalAdmins which is added to the local administrators group via a GPO.

Now the catch is that because they are part of this group and the it's domain policy, means that they have local admin rights to all computers (Servers are blocked). Now Idealy we could add there domain account to the local administrator grou on the computer, but the domain GPO will strip this out!

Does anyone know of a way / best practice to make users an admin of 1 computer using a centralised method?

Thanks in advance.

 

[mrdenny]

By using WMI filters to specify what users get added which which computers local admin group.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Blog

 

[terry712]

use the restricted group setting
you would need the computer in a different ou