Re: problem with giving domain users local admim rights

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 11:04:33 -0500

vamshi wrote:
> I applied the logon script to the OU the users are in thru gropu
> policy under user config.\windows settings\logon etc.

OK - as said, a user cannot grant himself more permissions than he already
has.

> they need admin rights because we are cconstantly evaluating new
> software from companies we do business with. And also there are
> updates to these third parry programs that come out on a monthly
> basis. This would allow users to install stuff llike hotbar and
> weatherbug, but we can scan the network for those and have users
> remove it. It would be less administration if users had admin rights.
> and anybody that abuses those privilges will be dealt with on a case
> by case basis.
>
> Should i run this script at statup instead

You need to run it under computer, not user, I think.
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> vamshi wrote:
>>> I have server 2000 running and have created a security group with
>>> certain users added to it.
>>> I want these users to have local admin rights to all workstations in
>>> the domain. So I created a logn script and added the net localgroup
>>> "domain\group" /add, and then applied to the domain thru gpo on the
>>> logon script part. for wahtever reason this is not adding the
>>> security group to the local admin group on the workstation. The
>>> rest of the script works fine though.
>>
>> Is the login script running under the user's credentials? They can't
>> grant themselves more rights than they have now.
>>
>> I strongly suggest you rethink this anyway - users shouldn't have
>> local admin rights. Very Bad Things can happen this way.

Relevant Pages

  • Re: Exchange rights within SYSTEM account
    ... at least delegated View Only Admin rights. ... this purpose then delegate it view only admin rights and then set the job to ... run as this account. ... I have a script which emails me a list ...
    (microsoft.public.exchange.development)
  • Re: problem with giving domain users local admim rights
    ... This logon script would actually need to be a start up script. ... It would be less administration if users had admin rights. ... security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • Re: Push SASSER patch to 85 workstations?
    ... The other alternative is to give your users admin rights to the machines. ... you could use a computer startup script within Active Directory if you ... How are you going to stop the patch setup running again ...
    (microsoft.public.win2000.general)
  • Re: problem with giving domain users local admim rights
    ... I applied the logon script to the OU the users are in thru gropu policy under ... they need admin rights because we are cconstantly evaluating new software ... >> security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • RE: Network audit
    ... >> I am currently looking for a tool that will scan a couple of networks and ... I obviously can run this tool with admin rights. ... If you're looking only at Windows systems, there's a native Windows tool ... called 'systeminfo' that runs from the command line so you can script it. ...
    (Pen-Test)