Assign Domain Users as a Client Computer Local Administrators and Remote Desktop Users
This domain users have local computer right to install software on client computer, but this user no permission on server.
For the security risk, this user password should only handle by admin/support staff, even this account can't harm server, but this login can access/remote any local computer.
Source : This is original source and more detail about the step.
First you need to create a security group called Group_Support
- Create a security Group name it Group_Support.
- Create a Domain Users and add as Group_Support member.
Step 2: Create Group Policy.
Next you need to create a group policy called “MYS GPO”
- Open Group Policy Management Console ( gpmc.msc )
- Right click on Group Policy Objects and select New.
Type the name of the policy "MYS GPO"
Step 3: Configure the policy to add the “Group_Support” group as Administrators
Right click “MYS GPO” Policy then select Edit.
Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
In the Left pane on Restricted Groups, Right Click and select “Add Group“
In the Add Group dialog box, enter Group_Support and click ok to close the dialog box.
Click Add under “This group is a member of:”
Add the “Administrators” Group.
Add “Remote Desktop Users”
Click OK twice
NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Support_Group” in that group.
Step 4: Linking GPO
In Group policy management console, right click on the domain or the OU and select Link an Existing GPO
Select the MYS GPO
Step 5: Testing GPOs
Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Group_Support in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.
Important Remark :
If you rename Group_Support, the GPOs will update as same.