You want to make it so a set of users in an Active Directory (AD) group are local admins.
This solution will make the users in the given AD group the local admin of any workstation. You could use this solution to make certain people only admins of their own workstation, but that would involve one AD group per workstation.
- Create the AD global security group "Local Computer Admins".
- Ensure you group your computers by server vs. workstation. For SBS sites, you'll see this in MyBusiness\Computers\SBSComputers and MyBusiness\Computers\SBSServers. Alternatively, you could use AD groups containing the computers to control how the GPO is applied, but we'll use an OU.
- Start the Group Policy Management MMC.
- In the OU MyBusiness\Computers\SBSComputers (notice we are only using this GPO for workstations, not servers, to be safe), create a new GPO named "Local Computer Admins".
- Edit the new Local Computer Admins GPO. For this GPO, we'll be modifying the Computer Configuration so that the Administrators local group includes the Local Computer Admins group.
- Navigate to Computer Configuration\Policies\Windows Settings\Restricted Groups.
- Right-click Restricted Groups and click Add Group. Enter Administrators and click Ok.
- The Properties window will appear. Here is where we will add the AD group. Click on Add in Members of this group.
- The group window will appear. Click Browse and then find the Local Computer Admins group in AD. Click Ok.
- When you return to the Properties window, you should see the AD group in the Members of this Group field. Click Ok.
- Close the Group Policy Management Editor window to save your changes.
You're done! Now just add users to the Local Computer Admins AD group and they will be admins on local workstations. You can use this technique for a number of local administrative capabilities, e.g., enabling RDP access for admins and non-admins, etc.