In our AD 2003 domain each user gets local admin permissions on their computer. Everyone else can login with their domain account as normal user.
Right now this means going to the desktop and manually adding the user as a local administrator.
Is there any way to automate this process through logon scripts or GPOs? I have found ways to use a gpo to make everyone who logs in to a computer a local admin, but really only want to give it to the primary user (or in some cases users) of the computer.
I've also seen methods that required adding a group for each computer...but really dont want to clutter AD like that.
I do have a list mapping each user to each computer name. If it matters the desktops are a mix of xp and win7.
I would hope not. That is not a very secure thing to do. I would encourage users to use a separate account for activities that require elevated permissions. We use a local account, but this could also be a domain account that has been added to the local Administrators group.
There isn't a native group policy tool that I'm aware of to do this but an easy solution is using Powershell to script this kind of modification.
For a given computer axe all the users out of the administrators group, add the desired users to the group, rinse and repeat. This can be scheduled to run on a server and reapplied regularly, giving the same result as a group policy.
I used to do something similar to this. I'd highly recommend that you find out why your users need admin rights. One of the tenants of a managed IT infrastructure is to take away the rights users don't need to do their jobs.
You could also add user to local admin group using GPP ( preference part of the GPO ).
You can create one GPO at the top lvl and use GPP targeting to add the user to the admin group for specific computer.
Add this user to built-in group if computer name is XX.
For 200 users you would have 200 line in that GPO.
Will take some time to set this up but you will be able to do remotely. And if a user ever need to have his right revoked, you change the GPP Update option in the line to delete.
I could add a few screenshot if you want.