Granting Local Admin Privileges from afar

PostDateIcon December 9th, 2008 | Author: Percy

By Percy Blakeney

Some time ago I worked at a helpdesk for a national charity based in London.

There were loads of regional offices and of course they all needed central support.
One of the common problem areas was local machine administration.

As ever!

We all know that in a secured network users should never have local administration privileges, but we also know that the reality is that sometimes it is the only answer. How many applications are there, that depend on local admin privileges?

Well anyway, we found two ways to get around this and today I will outline the first.
We created an OU in the Active Directory called Local PC Admin. The permissions were set so that if all members of this OU were Local Administrators of their machines.

On the whole this was a pretty good set up as we put procedures in place on the helpdesk that required managerial permission for a user to be added to the group.

Of course it was easy to add a user to the group if they were on site.

But when they were remote?
Well here is the fix we came up with;

How to remotely add the Local admin account

Start with My computer > c: \ > Windows > system32 > MMC.exe >

Then right click/ select Run as and use your admin credentials.

This brings up the snap in console.

Then click File > add/remove snap in >

Then add… > and scroll to computer management >

Next add > select another computer then either enter the PC name or its IP or use browse to target > Finish > close > OK.

At this point you have the 2 pane MMC console populated with Computer management.

In the right hand screen, double click computer management>

In the left hand screen select Local users and groups >

In the right hand pane double click Groups>

While you are still in the right hand pane, double click Administrators and Add…>

Type part of the machine name and click check names.

This will identify the Local Administrator account and underline it;

Click OK and you will see the entry Domain-name\Local PC Admin (Our OU name)has been added.

Job Done.

This is something you can do remotely while the user is still banging on and on about how they need this printer/Application/Camera or whatever.
I hope it helps.
There are more remote tips to come!

VN:F [1.1.8_518]
Rating: 9.0/10 (1 vote cast)
PostCategoryIcon Posted in Remote Administration

Leave a Reply

Meta

Copyright © 2009 Percy Blakeney. All Rights Reserved.

Theme Created by Joel Osborne.