Re: Login Script
From: Herb Martin (news_at_LearnQuick.com)
Date: 12/21/04
- Next message: MittonE: "Restrict users to only certain pc's"
- Previous message: Herb Martin: "Re: Login Script"
- In reply to: scott: "Re: Login Script"
- Next in thread: scott: "Re: Login Script"
- Reply: scott: "Re: Login Script"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Dec 2004 22:38:34 -0600
"scott" <sbailey@mileslumber.com> wrote in message
news:OhMPmLx5EHA.2624@TK2MSFTNGP11.phx.gbl...
> If userA is a member of DOMAIN USERS and is a LOCAL ADMINISTRATOR to
userA's
> box, how can userA get access to other PCs on the network?
>
> I'm just trying to limit regular users to only access his own pc and just
> certain network shared folders on a server. I do want them to be able to
do
> anything to their own pc.
>
But any user can walk up to any PC, logon, and
become the Admin there, so you really have no
effective limitation.
Oli's idea at least REQUIRES them to physically
logon (or TS etc) to the machine in question.
-- Herb Martin > i'm really getting confused. i've never heard of the INTERACTIVE group > before. > > if you can give more guidance, i'd appreciate you staying with me on this. > > > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message > news:%23zNOS$s5EHA.2964@TK2MSFTNGP09.phx.gbl... > > Sorry -- I did indeed miss "the current user" in the original question. > > > > Scott, what you're trying to do is not a good practice. What you may want > > to consider doing, though, is to add the "INTERACTIVE" group (users > > logging in at the console) to the local administrators group. > > > > The following command will do this and must be done either manually or > > through a computer startup script. Users, of course, will not have the > > required permissions to make the change. > > > > net localgroup administrators interactive /add > > > > This will mean that any user who logs into such a machine will be an > > administrator of that box, but they will not be able to do administrative > > tasks to other machines across the network. > > > > Hope this helps > > > > Oli > > > > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message > > news:OTcVe5s5EHA.828@TK2MSFTNGP14.phx.gbl... > >> As understood the question, Scott wanted a particular user (I'm assuming > >> a helpdesk person) to not be a member of "Domain Admins", but to be able > >> to be an administrator of workstations. If so, a computer startup script > >> is a perfectly reasonable way of achieving a perfectly reasonable thing. > >> > >> Perhaps I'm misreading the question. > >> > >> Oli > >> > >> > >> "Herb Martin" <news@LearnQuick.com> wrote in message > >> news:%231pitFr5EHA.2568@TK2MSFTNGP10.phx.gbl... > >>> "scott" <sbailey@mileslumber.com> wrote in message > >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl... > >>>> what about a group instead of a user? > >>>> > >>>> what would that look like syntax wise? > >>> > >>> Let's go back to your original request and consider > >>> what you really wish to accomplish: > >>> > >>>> I'm trying to add the current user (member of DOMAIN USER GROUP) to the > >>>> LOCAL ADMINISTRATORS group with below code in FIGURE 1, but get error > >>>> in > >>> > >>> IF someone should be a member of the Local Admistrators > >>> group then YOU (or a script on the DCs) should be adding > >>> them to the appropriate group. > >>> > >>> This isn't appropriate for a Startup or Logon script. > >>> (The user cannot add himself nor can the computer startup > >>> add a user who has not yet logged onto the computer -- as > >>> discussed above) > >>> > >>> If ALL users should be Admins of ALL machines (which > >>> is essentially what you were really going to allow -- If > >>> I COULD log onto a machine you were going to make me > >>> an Admin -- then just do that by making such a group or > >>> assigning the Domain Admins. > >>> > >>> Although I see this, and the original request, as poor > >>> practice, you likely also will likely also recognize this > >>> when stated as such. > >>> > >>> We could build a Startup script that would do this IF > >>> you can identify the users who work at each machine. > >>> > >>> -- > >>> Herb Martin > >>> > >>> > >>> "scott" <sbailey@mileslumber.com> wrote in message > >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl... > >>>> what about a group instead of a user? > >>>> > >>>> what would that look like syntax wise? > >>>> > >>>> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message > >>>> news:ekX8Kyl5EHA.2428@TK2MSFTNGP14.phx.gbl... > >>>> > Ah, you are correct. Missed that :( > >>>> > > >>>> > -- > >>>> > > >>>> > > >>>> > Sincerely, > >>>> > > >>>> > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > >>>> > Microsoft MVP - Directory Services > >>>> > www.readymaids.com - we know IT > >>>> > www.akomolafe.com > >>>> > Do you now realize that Today is the Tomorrow you were worried about > >>>> > Yesterday? -anon > >>>> > "Herb Martin" <news@LearnQuick.com> wrote in message > >>>> > news:eXWiZji5EHA.2540@TK2MSFTNGP09.phx.gbl... > >>>> >> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message > >>>> >> news:uDSajUi5EHA.2624@TK2MSFTNGP11.phx.gbl... > >>>> >> > the variable is %username%. So your syntax would be: > >>>> >> > > >>>> >> > net localgroup administrators yourdomainname\%username% /ADD > >>>> >> > > >>>> >> > That would add ANY user that logs into the computer into the > >>>> >> administrators' > >>>> >> > group IF you are using Machine Startup Script through a GPO as > >>>> >> > suggested > >>>> >> by > >>>> >> > Oli. This may be something you want to do in a controlled fashion. > >>>> >> > >>>> >> Sorry, this will not work as expected. > >>>> >> > >>>> >> At the time that a Computer Startup Script runs, there is > >>>> >> NO user and the %username% variable is holds no value. > >>>> >> > >>>> >> > >>>> >> > >>>> > > >>>> > > >>>> > >>>> > >>> > >>> > >> > >> > > > > > >
- Next message: MittonE: "Restrict users to only certain pc's"
- Previous message: Herb Martin: "Re: Login Script"
- In reply to: scott: "Re: Login Script"
- Next in thread: scott: "Re: Login Script"
- Reply: scott: "Re: Login Script"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
