Click here to get back home

Domain Users to have Local Admin rights
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Domain Users to have Local Admin rights RedPenguin 04-28-2006
Get Chitika Premium
Posted by RedPenguin on May 3, 2006, 5:21 pm
Please log in for more thread options
 I think it's this 2000 machine I am using as the client. I used
gpupdate /force on the server and loged off and loged back in, and even
a simple thing like Disable Internet Explorer's Connections tab was not
evne applied. I do not believe it is even appling the GPO even though
it's login is under this GPO.


Posted by RedPenguin on May 5, 2006, 10:27 pm
Please log in for more thread options
 Finally it worked. I just noticed the PC constantly said cannot find
user or computer name in Event Viewer. I just renamed the PC again and
changed the domain and it re-added it, and now everything works fine.
and the script is great!


Posted by Blackhole on May 4, 2006, 10:18 pm
Please log in for more thread options
Easy. I discovered this one by accident . Follow what Brooster said, but
instead of adding domain\domain admin , leave the domain name portion off
and add jsut the name of the local PC account you want to be a admin. GPO
does not check to see if it is a valid name or not.

After that, if that local account name is added to the local admin gropup on
a PCPC, GPO will not delete that name when it is applied AND it dfoes not
automatically grant it admin access (as it would for DOMAIN\DOMAIN ADMIN
names) to any PC until you add it to the local PC admin group.


> well here is the problem. That I am not sure about using Broosters
> solution.
>
> We have various admin accounts other then administrator
> on some of the client machines, and we do not want to
> have it remove those, because some are laptops and they
> use those accounts when they login at home. Is there anyway to be able to
> keep their current admin accounts also?
>
>
>> Hi,
>>
>> Brooster posted a solution to your question.
>>
>> What I would like to add is a warning against using domain administrator
>> accounts to logon to user computers.
>> So simply put -- don't use accounts that have domain administrator
>> permissions for logging on to client computers. Use these accounts only
>> for working on domain controllers.
>> For logging on to client computers create new accounts (e.g. admin-mike,
>> admin-greg, etc) and add them to a group called e.g. Help Desk. Now add
>> this group to Local Administrator group by using solution proposed by
>> Brooster.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>> Ok we recently installed Microsoft Server 2003 Enterprise Edition on our
>>> PC. The whole domain is working and everyone has thier own login that
>>> works. The only thing is, those users do not have local admin privledges
>>> on the PCs they logon to.
>>>
>>> We wish to have a handful of users, HelpDesk, that when they login to
>>> any machine, they automatically get admin privledges on the workstation.
>>>
>>> We tried playing with Group Policy Editor but nopthing at all will work.
>>>
>>
>>
>
>



Posted by Roger Abell [MVP] on April 29, 2006, 6:32 am
Please log in for more thread options
As you are just now starting out on the Active Directory experience, and
your users are getting used to new things and ways of doing them . . .

I would strongly encourage you not to give out admin to the users.

Why do they need that ?
Do you comprehend the support effort that can, likely will, cause?

The last thing I want is lots of users running as admin on their box
all of the time. If there really is an unavoidable need for them to
be able to use admin authority, provide them with a separate
account (perhaps a machine local account) and also with guidance
on how it is only to be used when necessary.
Keep there day-to-day domain user account as a plain, limited
user account and you will be much better off in the long (and
short, as problems may crop up that fast) run.


> Ok we recently installed Microsoft Server 2003 Enterprise Edition on our
> PC. The whole domain is working and everyone has thier own login that
> works. The only thing is, those users do not have local admin privledges
> on the PCs they logon to.
>
> We wish to have a handful of users, HelpDesk, that when they login to any
> machine, they automatically get admin privledges on the workstation.
>
> We tried playing with Group Policy Editor but nopthing at all will work.
>



Similar ThreadsPosted
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm
How2: User Rights on Domain but Admin Rights on Computer December 20, 2006, 3:40 pm
Rights to allow non admin to close other users' files March 6, 2008, 6:18 am
sbs2003 and users rights on local computer July 5, 2007, 11:38 am
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
Win 2008: Is it safe to remove USERS local group from c:\ NTFS rights? November 8, 2008, 6:57 pm
My domain users have administrative rights. July 18, 2006, 4:18 pm
Need limited domain admin rights user account. August 8, 2005, 2:33 pm
Admin shares no longer accessible for users not in domain admins April 22, 2006, 8:09 am
Admin rights September 5, 2006, 11:27 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap