Click here to get back home

sbs2003 and users rights on local computer
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
sbs2003 and users rights on local computer George Hardy 07-05-2007
Posted by George Hardy on July 5, 2007, 11:38 am
Please log in for more thread options
 : quoted-printable

hi all,

i was wondering how you give rights to a user logging into a domain =
computer, so that they can install software. I dont want them to have =
admin rights all over the network, but do want them to update certain =
programs we use internally.

is there a way to give them app install rights w/o being domain admin?

thanks,
george hardy


------=_NextPart_000_0020_01C7BEF0.9E541ED0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16481" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>hi all,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>i was wondering how you give rights to =
a user=20
logging into a domain computer, so that they can install software.&nbsp; =
I dont=20
want them to have admin rights all over the network, but do want them to =
update=20
certain programs we use internally.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>is there a way to give them app install =
rights w/o=20
being domain admin?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>george hardy</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=
Posted by CarlS via WinServerKB.com on July 5, 2007, 2:45 pm
Please log in for more thread options
 If you want to allow users full access to a member server, but not the domain,
you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
member server. This will grant any logged on user admin rights to the member
server when they are logged into it.

George Hardy wrote:
>hi all,
>
>i was wondering how you give rights to a user logging into a domain computer,
so that they can install software. I dont want them to have admin rights all
over the network, but do want them to update certain programs we use internally.
>
>is there a way to give them app install rights w/o being domain admin?
>
>thanks,
>george hardy

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1


Posted by Martin X. on July 6, 2007, 12:00 pm
Please log in for more thread options
Carl:

This looks interesting. Does it only limit them to interactive logons at the
console and RDP? So they wouldn't be able to do any admin level stuff via
something like the comp mgt mmc from another computer?

Regards,
Martin

If you want to allow users full access to a member server, but not the
domain,
you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
member server. This will grant any logged on user admin rights to the member
server when they are logged into it.

George Hardy wrote:
>hi all,
>
>i was wondering how you give rights to a user logging into a domain
>computer, so that they can install software. I dont want them to have
>admin rights all over the network, but do want them to update certain
>programs we use internally.
>
>is there a way to give them app install rights w/o being domain admin?
>
>thanks,
>george hardy

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1



Posted by CarlS via WinServerKB.com on July 6, 2007, 3:26 pm
Please log in for more thread options
Correct. We use it on our user pc's. It gives whoever logs on locally the
local admin rights to install software. They can not, however, connect to any
other pc remotely, except under specific conditions. I.E, they put
themselves in the administrators group on one pc, and then log onto another
pc.

Martin X. wrote:
>Carl:
>
>This looks interesting. Does it only limit them to interactive logons at the
>console and RDP? So they wouldn't be able to do any admin level stuff via
>something like the comp mgt mmc from another computer?
>
>Regards,
>Martin
>
>If you want to allow users full access to a member server, but not the
>domain,
>you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
>member server. This will grant any logged on user admin rights to the member
>server when they are logged into it.
>
>George Hardy wrote:
>>hi all,
>>
>[quoted text clipped - 7 lines]
>>thanks,
>>george hardy

--
Message posted via http://www.winserverkb.com


Posted by George Hardy on July 17, 2007, 11:51 am
Please log in for more thread options
so the short answer is add NT AUTHORITY/INTERACTIVE right on the workstation
for the user?

geo

> The trick here is that if you make someone an administrator, you might as
> well admit that they own it - or will when they figure out how to defeat
> any
> tweaks implemented to restrict their access.
>
> /Al
>
>> Correct. We use it on our user pc's. It gives whoever logs on locally the
>> local admin rights to install software. They can not, however, connect to
>> any
>> other pc remotely, except under specific conditions. I.E, they put
>> themselves in the administrators group on one pc, and then log onto
>> another
>> pc.
>>
>> Martin X. wrote:
>>>Carl:
>>>
>>>This looks interesting. Does it only limit them to interactive logons at
>>>the
>>>console and RDP? So they wouldn't be able to do any admin level stuff via
>>>something like the comp mgt mmc from another computer?
>>>
>>>Regards,
>>>Martin
>>>
>>>If you want to allow users full access to a member server, but not the
>>>domain,
>>>you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
>>>member server. This will grant any logged on user admin rights to the
>>>member
>>>server when they are logged into it.
>>>
>>>George Hardy wrote:
>>>>hi all,
>>>>
>>>[quoted text clipped - 7 lines]
>>>>thanks,
>>>>george hardy
>>
>> --
>> Message posted via http://www.winserverkb.com
>>
>
>



Similar ThreadsPosted
Domain Users to have Local Admin rights April 28, 2006, 3:17 pm
How2: User Rights on Domain but Admin Rights on Computer December 20, 2006, 3:40 pm
Can a Computer (so everyone who logs on on that computer) have access rights? January 12, 2006, 6:50 am
Users Rights Keep Disappearing January 1, 2006, 5:04 pm
My domain users have administrative rights. July 18, 2006, 4:18 pm
Rights to allow non admin to close other users' files March 6, 2008, 6:18 am
Pulling out users different EFFECTIVE access rights to folders? June 29, 2005, 5:15 am
Changing local file rights July 27, 2005, 11:00 am
lost password with sbs2003 r2. Cannot log into system January 14, 2007, 11:41 pm
Can I delete 'Athenticated Users' group form local 'Users' group January 29, 2008, 11:52 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap