When a Windows NT4 (or later) client joins a domain, the domain global Domain Admins group is added to the membership of the local Administrators group on the client. Any user who is a member of the domain global Domain Admins group will have administrative rights on the Windows client.

This is often not the most desirable solution because it means that the user will have administrative rights and privileges on domain servers also. The Power Users group on Windows client workstations permits local administration of the workstation alone. Any domain global user or domain global group can be added to the membership of the local workstation group Power Users.

See Nested Group Support for an example of how to add domain users and groups to a local group that is on a Windows workstation. The use of the net command permits this to be done from the Samba server.

Another way this can be done is to log onto the Windows workstation as the user Administrator, then open a cmd shell, then execute:

C:\>  net localgroup administrators /add 
domain_name\entity

where entity is either a domain user or a domain group account name.