DEV Community

Cover image for 🔐 How I Granted Local Admin Rights to a User Without Compromising Domain Security
Babs
Babs

Posted on

🔐 How I Granted Local Admin Rights to a User Without Compromising Domain Security

In an enterprise environment, it’s common to restrict admin access on user machines using Active Directory (AD) policies. But what happens when a team member urgently needs elevated privileges—outside work hours and without VPN access?

That’s exactly the situation I faced recently. Here’s how I resolved it efficiently by granting local admin rights—without compromising domain security.

📌 Scenario Overview

A team member was working on a time-sensitive project that required:

  • Installing applications

  • Running scripts or commands with admin privileges

However:

  • The AD setup restricts such actions to domain admins only

  • She would be working after-hours and during the weekend

She suggested calling me whenever she needed admin access so I could remotely control her screen and enter the credentials for her. However, this would be time-consuming and impractical in the long run.

✅ The Solution

Instead of providing domain admin access (which poses a security risk), I granted her local administrator privileges on her system only.

🔐 Note: Local admin rights only apply to the specific machine. This doesn't make the user a domain admin.

🧭 Step-by-Step Walkthrough

1. 🔓 Open an Elevated Command Prompt
open Command Prompt as Administrator.

2. ➕ Add the User to the Local Administrators Group
Run the following command:

net localgroup administrators "YOURDOMAIN\username" /add
Enter fullscreen mode Exit fullscreen mode

Example:

net localgroup administrators "ETCG\john.doe" /add
Enter fullscreen mode Exit fullscreen mode

✅ This command tells the local machine to treat john.doe as a system administrator—on that PC only

3. 🔍 Confirm It Worked
To verify the user was successfully added, run:

net localgroup administrators
Enter fullscreen mode Exit fullscreen mode

You should see the domain user listed:

YOURDOMAIN\username
Enter fullscreen mode Exit fullscreen mode

That confirms they now have admin rights on the system.

4. ✅ What the User Can Now Do
With local admin privileges, the user can:

  • Install software

  • Run commands or scripts with elevated permissions

  • Make system changes without needing your intervention

And since it’s tied to her domain account on that system, she simply uses her own password for elevation.

5. 🔒 Removing Local Admin Access (After Project Completion)
Once the project is done and elevated privileges are no longer needed, revoke access by running:

net localgroup administrators "YOURDOMAIN\username" /delete
Enter fullscreen mode Exit fullscreen mode

Example:

net localgroup administrators "ETCG\john.doe" /delete
Enter fullscreen mode Exit fullscreen mode

This safely removes her from the local admin group, restoring the default security posture.

🧠 Key Takeaways

  • It's a least-privilege approach—user has elevated access only where and when needed

  • Always remember to remove access when no longer required

If you’re in a similar situation, this method strikes the right balance between user productivity and security hygiene.

Top comments (0)