Anyone who works as a System Administrator on Windows Server platforms is well aware of the importance of user permissions: in most cases it is advisable to provide their users with the minimum set of permits necessary to carry out their activities, in order to protect the entire network infrastructure from cyber threats (Virus, Ransomware, Data Breach attempts and the like).
Despite this, in some cases it may be necessary to temporarily grant to the Domain Users the required permission to install software, perform some system configuration changes and / or other activities normally precluded to normal users on a given physical or virtual machine entrusted to him. To make these activities possible, we can proceed in various ways, but these are not all equally recommended: the reason why I decided to write this article is due to the fact that, as a result of many discussions I had with other fellow administrators, I have seen a series of bad practices which I personally wouldn't recommend, from which it would be wise to take the necessary distance.
Let's see together what are the modalities at our disposal to increase the privileges of the domain user on the local machine:
- Increase the Domain User permissions on the entire Domain by adding the user in question in the Domain Power Users or Domain Administrators group: this is obviously a poor choice in terms of security, as it extends the user permissions without a valid reason.
- Increase the permissions of the entire Domain User Group on the local PC by including the entire DOMAINNAME/Domain Users group in the local machine's Administrators group. Such method is also hardly advisable, as it grants local administrative privileges to all the Domain Users in an indiscriminate way.
- Increase the permissions of the Domain User on the local PC by adding the user in question in the local machine's Power Users or Administrators group. This is by far the preferred method, limited to the cases when it is absolutely necessary to do so, as it only gives the minimum amount of permissions required to reach the goal.
The best way to perform this type of activity is by using the Users and Groups snap-in, which can be reached from the Windows Control Panel in the following way:
- Control Panel > Administrative Tools > Computer Management > Users and Groups
The Users and Groups snap-in allows you to create new local users, change the settings (name, password, etc.) of existing users and add (or remove) the relationships between users and / or local and / or domain groups.
Add a user to the local machine's Administrators group
To add a user to the local machine's Administrators group from the Users and Groups snap-in, you can either:
- Click to the Users folder to show a list of all the existing users.
- Click to the user you want to add to the group.
- Click to the Member of tab, which contains the groups where the user is already a member.
- Click to the Add button and add the Administrators group to the user's existing groups.
- Click to the Groups folder to show a list of all the existing groups.
- Click to the Administrators group to show a list of all the existing group members.
- Click to the Add button to add the user you want to add to the group.
2 Comments on “Windows 10 - How to set Domain User permissions on the local PC An overview of the various available options to configure user permissions for an Active Directory domain on individual PC workstations”
Sorry, maybe I’m blind but there is no how-to for – “adding the user in the local machine’s Administrators group” after you’ve opened the Users and Groups! yes I know I have to do it! But how? What the purpose of this article then? Shame… Now, let me close it and Google again for a more useful one…
Well, that’s rather obvious: Users and Groups has two folders: USERS and GROUP. To add a user to the Administrators group, you can either:
A) open USERS, click to the User you want to promote, go to the “Member of” tab and add the Administrator group.
B) open GROUPS, click to the Administrators group, and add the User you want to promote.
It’s just as simple as that: I’ll add the above explanation to the post since it seems like it’s not as obvious as it does seems to me.