IT Employment

General discussion


What Domain Right is needed to be able to add a domain user to local admin

By wade.price ·
What specific domain right needs to be granted to me, to allow me to be to be able to add a domain user to the local admin group?

I am not a full domain admin, but I have been given rights to add computers to the domain and administer an OU.

I can add a computer to the domain just fine, but when I try to add a domain user to the local administrators group on that computer, so they can install apps, etc., it won't let me.

The bottom line is I can't grant the domain users I set up local admin privleges on their local computers.

Does anyone know what specific right I need to be granted in order to be able to do this?

Any comments would be appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Here's the answer

by sstark In reply to What Domain Right is need ...

You would need to be a local administrator on the box itself to add more administrators.

Also,once you join it to a domain, domain admins is automatically put in the local admin group on the system, so this will work as well, but if you aren't a domain admin, it doesn't help you.

Collapse -

Try Group Policy

by Packet Spoofer In reply to Here's the answer

Group Policy can dictate that users can be made local careful of may not want this power in the hands of all domain users......

Collapse -


by price In reply to Try Group Policy

Thanks for the reply.

The workstations set up by a full domain admin are fine and the domain users are allowed to be local admins, however, on the workstations I set up domain users are not allowed to be local admins.

Given the fact that domain admins can grant this right but I can't do you still think it may be a group policy thing?

What limited specific domain right can the domain admins grant me that would give me the right to grant local admin without them having to add me to the overall domain admins group?

Collapse -


by price In reply to Here's the answer

Thanks for reply, but I am logged in as a local admin on the machine. Still, when I try to add the domain user to the local administrators group it won't let me because I'm not a domain admin.

I've been given the domain right to add workstations, but when I add a domain user to the workstation i can't make them a local admin. I can make local users local admins, but I can't make domain users local admins.

Again, what SPECIFIC right do the domain admins need to grant me to allow me to grant local admin rights to the domain user on the machine I set up for them.


Collapse -


by UtherPendragon In reply to Thanks....but

To modify the groups that a domain user is part of, you will need to have the rights to modify that user account on the domain.

i.e. some sort of account operator rights on NT or you could be added specifically to that users OU in win2k in the security settings in AD

Hope this helps

Related Discussions

Related Forums