I have a Windows 2008R2 DC (Just setup), we already had around 25 Windows 7 professional / ultimate clients, which we are now going to join to our new domain / dc. Users were already using the machines and were Local Administrators on that machine.
I want to deploy a USER via GPO which can either get created on every LOCAL windows 7 box and have Local admin rights or a Domain user which has LOCAL admin rights on every single PC on the domain (Windows XP, 7).
Will be grateful if someone could assist on this - I did tried my self creating a user but it won't get created, I used the Computer Settings
group in GPO Edit to create the user.
Thanks for reading - will look forward to your guidance Rihatum
My first recommendation is that you wrestle those admin rights away from users. It'll make your life so much easier in the end. SO MUCH EASIER! Users have a tendancy to really mess up their computers when they're admins...Viruses, spyware, toolbars, junky freeware, change this settings, delete this file...just don't deal with it.
That being said, if you really have to give users admin rights, you can easily create a domain user which has local admin rights on each PC. Start by creating a user in AD. Then create a group policy and apply it to all workstations. In this group policy drill down to this:
Add a new restricted group and make sure Domain Admins and the user you just created are members of it. This will not allow you to add any other local admin to these machines but will simply accomplish what you desire to do.
The other answers covered it well, but I'll just mention that Group Policy Client Side Preferences are another good option for managing local users and groups, with a bit more flexibility (but less client compatibility) than Restricted Groups.
http://www.windowsecurity.com/articles/using-restricted-groups.html
Principles of security should be used. Create a desktop admin group, add you users to this, then add it to the restricted groups.