You can use Group Policy Preferences to implement a fairly simple, but reliable method of managing your local admins users so they are administrators on their primary machine only.
For this you need to edit Computer Group Policy Preferences in your Windows 10 Common Computer policy.
- The first part of the policy clears membership of the local admins group and adds the default users and groups you need to give permissions to.
- The second part adds the user of the computer to local admins on their PC only, but only if the AD group ‘%computername%-Admins’ exists
- In each user case, the IT support team needs to create a domain security group group called “%ComputerName%-Admins”, ie. ”A003674-Admins”, then add the specific user as a member of that group.
- To avoid warnings being logged to the Application Event Log for machines that do not have a ‘%ComputerName%-Admins’ domain group, the policy is Item-level Targeted using an LDAP Query …
Filter : (&(objectCategory=group)(cn=%ComputerName%-Admins))
Binding : LDAP://<domain>.com