Server 2012 local admin

[zoran89]

Is there a way in group policy to make someone admin on all computers in domain, but to deny him access on server?

 

[BonzaiDuck]

Just off the top of my head, I think if the account in question took "ownership" for successively each of the several machines with "full control," but with the account's usual status in the network either below administrator or excluded from server administrator access and control.

Alternatively, making someone administrator on their own machine or adding an administrator account for that machine does not require administrative privileges on the server, so you could set up the account a subject might use on his own machine and add it to the second (third, fourth . . ) machine with administrative access, and then use Remote desktop to have full control of any of them.

There's a sieve of possibilities or options in the sharing, security, permissions and ownership range of values. So you should be able to do it.

Maybe someone more familiar with these features for Win Server editions could either correct me or suggest an approach with more specific detail.