This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 18%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
My company uses a depot offsite to manage our laptops and tablets. They are assigned the tasks of imaging our laptop and then preparing them to send to a designated user. One of the tasks that we need to them to handle is getting them on our domain via Cisco anyconnect VPN. So we've provided them a Service Account and this allows them access to our domain. Once on the domain, we need them to add that designated user as a local admin on that machine. When they attempt to add the user to the administrators group their Service Account credentials do not allow them to accomplish this. They have to call over to my team to have us connect to the machine and enter our admin credentials. The goal is to give them this access without getting so many involved. The users at the depot have external domain accounts but they do not use these to accomplish their tasks. Also, our DBA will not allow them to have domain admin credentials. So Delegate Control Wizard permissions setting would be the only thing that suffices.
Please help!
Have this anything to do with Azure AD or ADFS?
You are probably looking for this forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
If the machine is joined to the domain, you could use group policy to add the required account to the local administrators group, this would save the need for the 3rd party to add the account.
https://thesysadminchannel.com/add-local-administrators-via-gpo-group-policy/
Hope that helps!
I will run this by our DBA's and the rest of the team. I would be shocked if this wasn't already considered as a solution. Still waiting on a solution that lines us with the scenario involved.