I know that a user can be added to the domain user group, but is it possible to add a user to a local admin group? so that they have full local admin rights on all workstations? I think our DC uses win 2k (just a guess though).If you create an admin account that is a roaming account, it can act as a local admin account when the workstations are off the net. But if you want to empower someone to be able to perform local admin access, but restrict them out of domain admin wide access, I'd set up a POWER user privileged account and in GP, I believe you can restrict the systems they have access to which restricts them to just the workstations vs being able to logon to servers and sensitive systems such as payroll and HR etc.

* For the local admin to work OFFLINE, the admin account would have to have been logged on to each workstation to populate the users or documents and settings section of each machine, so that it will recognize the admin in offline state. It is one benefit of a roaming profile for admin access that it can function offline once initialized against the DC. ** Also this hasnt been tested yet myself, but someone said once that you can copy the admin account profile from the initialized machine to other machines in the workgroup of systems to the users or documents and settings folder depending on Win 7 or XP etc and when you logon to the workstation offline it recognizes the local admin because the roaming profile was replicated to the other computers. Quote from: DaveLembke on October 29, 2013, 09:42:14 PM

If you create an admin account that is a roaming account, it can act as a local admin account when the workstations are off the net. But if you want to empower someone to be able to perform local admin access, but restrict them out of domain admin wide access, I'd set up a power user privileged account and in GP, I believe you can restrict the systems they have access to which restricts them to just the workstations vs being able to logon to servers and sensitive systems such as payroll and HR etc.

* For the local admin to work offline, the admin account would have to have been logged on to each workstation to populate the users or documents and settings section of each machine, so that it will recognize the admin in offline state. It is one benefit of a roaming profile for admin access that it can function offline once initialized against the DC. ** Also this hasnt been tested yet myself, but someone said once that you can copy the admin account profile from the initialized machine to other machines in the workgroup of systems to the users or documents and settings folder depending on Win 7 or XP etc and when you logon to the workstation offline it recognizes the local admin because the roaming profile was replicated to the other computers.