Some of us want to loosen up our control on the local computer and really does not matter to us what the user does with it as long as they don’t inflict damage on the domain. By default, Windows makes Domain Admins a local administrator on all computers that are a member of the domain. But domain users are still restricted, this is especially true of Windows XP computers. (Yes there are many of us still using them!)
Here is how you can give a domain user administrative access on their local computer but not make them an administrator on your domain.
Follow these steps:
1. Open Group Policy Management
2. Create a new policy and call it “Local Administrators”
3. Edit the new policy
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
5. Right click in the right pane and select Add Group
6. Name the group “Administrators” and click Ok
7. Double Click the group you just created and add users or groups in the upper pane (Members of this group:) as necessary. Don’t forget to add Domain Admins!
8. In the lower pane (This group is a member of:), Click add and type Administrators. Click Ok
9. Click Ok
10. Close the editor
11. Apply the policy to the appropriate OU’s (Organizational Units or containers as some of us refer to them)
Reboot the computers and Viola! Your users can now destroy their machines in record time! Without your help!