It is frequently advantageous to have an adminstrator-level account
on a workstation. The trouble comes 2 years (and 10 password changes)
after adding yourself to the local Administrators group; you've forgotten
the password you typed in all those months ago and the user is nowhere
to be found, or worse, the user is right there and also has no idea what
the admin password might be.
Active Directory has a couple of solutions to this dilemma, neither great, but both better than hauling out the Windows installer CD. These solutions add AD Groups (preferably) or AD users (use with caution) to the Local Administrators group. Your AD password is then all you need to remember.
Go to
Control Panel
Computer Management
Local Users and Groups
Groups
Administrators
Properties (right click)
Click Add
Under Look In:, select ad.sfu.ca
Authenticate yourself, in the form username@sfu.ca
If you receive a message during this process indicating you are not authorized (and you are sure that you have typed your ID and password correctly), just click Cancel. You will probably find that you are now authorized. "Microsoft is aware of this issue".Locate and select (or type) the group or user you wish to add to the local Administrators group.
Click OK.
Click OK again. Done.
The one obvious trouble with this method is that you have to sit down
at the console of every computer you wish to do this to. This hassle
is mitigated by the fact that you are likely already at the console to
add the computer to the domain in the first place.
It is possible to create a Group Policy to do the same thing, thereby doing it automatically. You simply list the groups that you wish to be added to the local Administrators group, and at next policy refresh, it's done.
There are a couple of gotchas with this policy.
It's assumed that the relevant OUs and groups have already been created, and that the Admin Tools are installed.
Start Active Directory Users and Computers
Right-click your organizational unit, and then click Properties.
Click the Group Policy tab.
Click New
Name the policy. I chose ACS Add OU Admins
to local Admin group.
Click the policy, and then click Edit.
Go to
Computer Configuration
Windows Settings
Security Settings
Restricted Groups
Right-click Restricted Groups
Click Add Group.
Click Browse.
Looking at the local computer, click the Administrators
group.
Click Add.
Click OK.
You are returned to the group policy and you see the Administrators
group listed in the Restricted Groups window.
Right-click the group.
Click Security.
To the right side of the Members of this Group box, click Add
Click Browse.
Under Look In:, select ad.sfu.ca
Locate and select (or type) the group or user you wish to add to the
local Administrators group.
Click OK.
Click OK again.
At this point, there will be two members of the Administrators group,
the local Administrator and the group you have just added. Removed
from the group will be the Domain Admins group, added by default by Active
Directory (when the machine was added to the domain) You may wish
to add this group back (by repeating the relevant steps above) so that
if something happens to your OU Admins group, a Domain Admin can still
help out. Otherwise, it's back to the Windows Installer CD.
Close the policy, and at the next policy refresh interval, the policy
will be applied.
If you wish to see the results of the policy immediately, apply the policy to an OU containing the machine you are currently logged into. Then, at a command prompt, type
secedit /refreshpolicy machine_policy /enforce
and press Enter. Now check the Administrators group membership. It should reflect the policy you've just created.
This document is derived from Microsoft's articles Q320065
and Q228496