Although users generally shouldn’t have administrator rights on their machines, IT administrators may need to grant those rights temporarily as a last resort. Users might need to download applications, add a printer, or take other administrative actions on a short-term basis. There are several ways to give a remote user admin rights on their Windows® machine, though some are more secure and more efficient than others.
Grant Admin Rights on Individual Machine
One way to give a user admin rights is to do so locally on the machine itself. By logging in as an admin, you can then navigate to the local users and groups and grant admin rights there.
However, this option is not ideal in a remote work scenario or when you’re managing machines in bulk, and it requires you to navigate into the same menu to revoke admin rights when they’re no longer needed. There are more systematic ways to grant and revoke user admin rights at scale.
Active Directory’s Restricted Groups GPO
Another way to give a user admin rights, if you’re an Active Directory® admin, is to use AD’s GPO for restricted groups. You can apply the policy to the OU that contains the target workstations and add the group of users you want to have admin rights. You can then remove the users from the group when they no longer need those rights.
Although this option is more efficient and secure than accessing each individual machine, it comes with its own set of risks — namely the complexity of rolling out GPOs and understanding their inheritance order.
This approach will also require manual configuration, and you’ll want to test extensively and understand the changes thoroughly before rolling them out to your organization. You might also face difficulties if remote users don’t regularly connect to the internal network and therefore don’t get the updated GPO. However, with advance testing and planning, this option is more feasible to manage admin rights on remote machines.
Remote, Cross-Platform System Management
Another approach to consider is to integrate a cloud directory service into your stack to achieve remote system management capabilities. Modern cloud directory services can accommodate not only Windows but also macOS® and Linux® machines — and they allow for entirely remote, cloud-based management.
One such solution is JumpCloud® Directory-as-a-Service®. JumpCloud can serve either as a standalone directory service in the cloud or as a comprehensive Active Directory identity bridge.
With JumpCloud, admins can create local accounts on Windows machines, bind those accounts to individual users, and control whether those users have admin rights from a central web-based Admin Portal. Admins don’t need to access the individual machines, and changes to user admin rights are reflected quickly on machines without further action needed.
Manage & Monitor Systems from the Cloud
With JumpCloud’s system management solution in place, admins can take further actions to provide remote support for their systems via preconfigured, GPO-like Policies and a web-based command runner. They can also monitor key data points such as installed OS and patches, all local accounts, and memory, storage, and CPU.
Click here to learn more about cross-OS system management entirely from the cloud.