I have one domain and I want to create a sub-administrator account that can do various things on the local machine such as change the computer name, the ip address, and/or install a printer/program. Now from what I read, with domain admins and enterprise admins or any users that are part of those groups, thier account are already added to the local administrators account on the local machine. This is why when they log in, they can do these types of things: change the computer name, IP, printer/program, add to the domain, etc....So getting to my question, how would you create a user that you didnt want to add to domain admins or enterprise admins group, but still wanted LOCAL admin rights? In other words, I just want a user that doesnt have any domain administrative rights, but can log onto any machine and has full local admin rights? I tried doing a group policy that applied to that user that ENABLED them with those rights, but the GP didnt affect anything. I even put it ahead of the domain default GP just to make sure that wasnt affecting anything. I know there is a place in AD for "delegation", but most of that is just rights for the actual AD structure, not rights which im wanting on local machines. How would i go about doing this?