If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.
CREATE THE SECURITY GROUP
- Open Active Directory Users and Computers
- Select your Security Group OU
- Right Click and select New > Group
- Give the Group a name, I used “Helpdesk_Engineers”
CREATE THE GPO
- Open Group Policy Management Console.
- Right click the OU that contains the systems you want to set the local admin on
- Select “Create a GPO in this domain, and Link it here…”
- Name the GPO. I used “Set Local Administrators”
- Right Click the GPO and select Edit.
- Set the following:
- Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
- Right Click and select “Add Group…”
- Select browse and add the Administrators group
- Select OK
- Double click Administrators
- Select Add for “Members of this group:”
- Browse and find your security group. I added “Helpdesk_Engineers”
That should be it. Now you can set which users of the domain are local administrators of their computers.
Update: You can use the above process to add local users to the administrator group as well. When adding the security group, you can just type in the local administrator’s username created in the previous post. It would then look like the following: