administrator rights for computer

[Sher]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,
I have a normal user who logs on to a 2003 server network which has group
policies set.
I have a program that requires administrator rights to the workstation in
order to run.
If I assign adminstrator rights to the domain user at the workstation level
(user accounts)then the user also has administrartor rights to the domain.
How can I assign workstation administrator rights to the domain user but not
domain administrator rights?
I want this user to get all the gp's set.
Thanks in advance for any help
Sher

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Add their domain account to the local administrator group of their computer.

Use users and groups on their computer, select the Administrator group and
add their domain account to that group by selecting their name from the list
of domain users (not local users).




hth
DDS W 2k MVP MCSE

"Sher" <Sher@discussions.microsoft.com> wrote in message
news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
> Hi all,
> I have a normal user who logs on to a 2003 server network which has group
> policies set.
> I have a program that requires administrator rights to the workstation in
> order to run.
> If I assign adminstrator rights to the domain user at the workstation
> level
> (user accounts)then the user also has administrartor rights to the domain.
> How can I assign workstation administrator rights to the domain user but
> not
> domain administrator rights?
> I want this user to get all the gp's set.
> Thanks in advance for any help
> Sher

 

[Sher]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Danny,
If I do this, then the domain user is added as the administrator of the
domain also which I do not want. I only want the domain user to have local
administrator rights.
Sher

"Danny Sanders" wrote:

> Add their domain account to the local administrator group of their computer.
>
> Use users and groups on their computer, select the Administrator group and
> add their domain account to that group by selecting their name from the list
> of domain users (not local users).
>
>
>
>
> hth
> DDS W 2k MVP MCSE
>
> "Sher" <Sher@discussions.microsoft.com> wrote in message
> news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
> > Hi all,
> > I have a normal user who logs on to a 2003 server network which has group
> > policies set.
> > I have a program that requires administrator rights to the workstation in
> > order to run.
> > If I assign adminstrator rights to the domain user at the workstation
> > level
> > (user accounts)then the user also has administrartor rights to the domain.
> > How can I assign workstation administrator rights to the domain user but
> > not
> > domain administrator rights?
> > I want this user to get all the gp's set.
> > Thanks in advance for any help
> > Sher
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You can not add a user to the domain admin group from their computer. There
is no domain admin group on their computer. To add them to the domain admin
group you have to do that on the server.


Adding their domain account to the local administrator group will result in
the user logging on with their domain account and being administrator of the
local computer.


hth
DDS W 2k MVP MCSE

"Sher" <Sher@discussions.microsoft.com> wrote in message
news:85287DBA-3B61-4381-802B-831478E29CBA@microsoft.com...
> Hi Danny,
> If I do this, then the domain user is added as the administrator of the
> domain also which I do not want. I only want the domain user to have
> local
> administrator rights.
> Sher
>
> "Danny Sanders" wrote:
>
>> Add their domain account to the local administrator group of their
>> computer.
>>
>> Use users and groups on their computer, select the Administrator group
>> and
>> add their domain account to that group by selecting their name from the
>> list
>> of domain users (not local users).
>>
>>
>>
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "Sher" <Sher@discussions.microsoft.com> wrote in message
>> news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
>> > Hi all,
>> > I have a normal user who logs on to a 2003 server network which has
>> > group
>> > policies set.
>> > I have a program that requires administrator rights to the workstation
>> > in
>> > order to run.
>> > If I assign adminstrator rights to the domain user at the workstation
>> > level
>> > (user accounts)then the user also has administrartor rights to the
>> > domain.
>> > How can I assign workstation administrator rights to the domain user
>> > but
>> > not
>> > domain administrator rights?
>> > I want this user to get all the gp's set.
>> > Thanks in advance for any help
>> > Sher
>>
>>
>>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Was wondering..
Is there a way of having an AD group called 'Local PC Admin' where one
may add domain users as members, then whichever PC these users log
into, they obtain 'Local PC Administrator rights' on that PC during
their session.?
Same as the Domain Admins group members can.. only they get domain
admin rights obviously..
This would save having to know the username for each PC and users could
move around as they do..
AJ



--
APJ
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1808657.html

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You could use Group Policy Restricted Groups and the "member of" option for
Windows 2000 computers using at least SP4 and XP Pro/2003 computers. When
doing this you need to create an OU with a Group Policy linked to it that
has Restricted Groups configured. Then move the computers [NOT domain
controllers however] that you want to add the global group to the local
administrators group on into that OU. You can also use Restricted Groups to
managed domain groups and you would want to do that on the domain
controllers container. I would consider domain admins to be a very sensitive
group and would consider Restricted Groups to enforce membership of that
group. You should not need very many members of the domain admins group as
much can be done with AD delegation in a domain. --- Steve

http://support.microsoft.com/default.aspx?kbid=810076 --- Resricted Groups
member of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
--- Restricted Groups

"APJ" <APJ.1vciu1@mail.mcse.ms> wrote in message
news:APJ.1vciu1@mail.mcse.ms...
>
> Was wondering..
> Is there a way of having an AD group called 'Local PC Admin' where one
> may add domain users as members, then whichever PC these users log
> into, they obtain 'Local PC Administrator rights' on that PC during
> their session.?
> Same as the Domain Admins group members can.. only they get domain
> admin rights obviously..
> This would save having to know the username for each PC and users could
> move around as they do..
> AJ
>
>
>
> --
> APJ
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1808657.html
>