Re: Use Active Directory to set work station local rights

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/10/05 

Date: Thu, 10 Feb 2005 08:20:49 -0000

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message 
news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
Eric,
This question is asked quite often.  Please take a look at Restricted
Groups.....
Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying to
figure it all out!  I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller.   Possible, but really difficult.  Go with the
workstation solution.
Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is yours
and I can not tell anyone how to do things... ).
-- 
Cary W. Shultz
Roanoke, VA  24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Eric W. Holzapfel" <e.male@verizon.net> wrote in message
news:vQzOd.24549$uc.22528@trnddc03...
> Hello Active Directory,
>
> I have a win 2000 server, and would like to be able to allow a group of
> users to have administrator privileges (not domain administrator privs)
> on the work station(s) then log in to.  I would like to permit admin
> rights on the workstation without having to go to each work station, and
> adding the specific user to the local administrators group.  Can I do this
> with Active Directory and some sort of group policy?
>
> Thanks,
>
> eric

Relevant Pages

  • Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
    ... into the local administrators group on the workstation. ... restricted groups you can then modify the group membership to get users into ... Create the gpo in the ou where the Computers reside, ... we removed the right to add workstation to Windows 2000 ...
    (microsoft.public.win2000.active_directory)
  • Re: Account question
    ... Don't let the local user set the group memberships of the group by setting the Restricted Groups. ... To do a quick takeover, set up an OU and apply a restricted group to it for administrators and throw the workstation ... > Suppose a user removed every account except his local username from their> local Administrators group of their Windows XP workstation. ...
    (microsoft.public.win2000.security)
  • Re: SBS 2003 Premium Setup of end users.
    ... local machine Administrators. ... particular workstation remove them from the local Admin group on that ... After the initial setup, those permissions are not needed and the ... computer which is the current Workstation1 unit. ...
    (microsoft.public.windows.server.sbs)
  • Re: Must all users be administrators?
    ... What I am upset about is the extensive use of the administrators ... group on the local workstation. ... > permissions to control, just read permissions. ... If it's a folder, you can ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Premium Setup of end users.
    ... In the Local Users & Groups | Groups | Administrators ... I saw an entry for domain users and I deleted it. ... SBS needs a user to have local admin permissions on the workstation to ... That hard drive currently resides on the Workstation1 unit as a spare ...
    (microsoft.public.windows.server.sbs)