A. Many organizations want the users of a machine to be a local administrator so they can perform advanced functions.

This is commonly achieved by adding the domain users group to the local administrators group of each desktop machine, done through a standard script or through the restricted group Group Policy capability. However, this makes all users local admins of all desktop machines and not just the primary user of a machine.

With Windows 7, the need to make normal users local administrators has largely been removed, so for most organizations this is no longer a requirement. There is no built-in ability to make the primary user a local admin of their machine only; however, if you have this requirement, here are some options to consider:

  • During the initial build of a machine, prompt at installation who the primary user will be and insert that user’s domain account into local administrators.
  • Have a database that links users to machines, and at installation the database is checked and the owner of the machine added to the local administrator group.
  • Have a process that runs on first logon where the first user to log on is added to the local administrators group. (This might not work in organizations where a member of IT logs on first to check the machine and complete the install process; however, if a manual step is performed, the user could be added into the local administrators group at that time.)
  • Use a management process to monitor desktop machines, and after the primary user has been ascertained, the user is added to local administrators.
  • The option of making domain users members of the local administrators group is still an option but is far from ideal.

Most organizations use one of the first two options.