Wednesday, March 17, 2010

Give users from different domain local administrator rights

Scenario: You have a trust between two domain and wants the domain admins of the remote domain to have local administrator privileges on the computers in the local domain.

Use GPO: Computer Settings –> Windows Settings –> Security Settings –> Restricted Groups. Add a group named “Administrators” (referring to each computers local group). Under “Members”; add the following accounts and groups:

  • “Administrator” (referring to each computer’s local administrator account).
  • [local domain]\Domain Admins (referring the local domain’s domain admins)
  • [remote domain]\Domain admins (referring to the remote domain’s domain admins.

Important notice: The member you add are exactly the ones that will be member on each computer; existing local exceptions will be overridden.