Re: Re: problem with giving domain users local admim rights

From: lforbes (UseLinkToEmail_at_WindowsForumz.com)
Date: 01/29/05 

Date: 28 Jan 2005 19:46:03 -0500

"Lanwench MVP - Exc" wrote:
> vamshi wrote:
> > I applied the logon script to the OU the users are in thru
> gropu
> > policy under user config.windows settingslogon etc.
>
> OK - as said, a user cannot grant himself more permissions
> than he already
> has.
>
> > they need admin rights because we are cconstantly evaluating
> new
> > software from companies we do business with. And also there
> are
> > updates to these third parry programs that come out on a
> monthly
> > basis. This would allow users to install stuff llike hotbar
> and
> > weatherbug, but we can scan the network for those and have
> users
> > remove it. It would be less administration if users had
> admin rights.
> > and anybody that abuses those privilges will be dealt with
> on a case
> > by case basis.
> >
> > Should i run this script at statup instead
>
> You need to run it under computer, not user, I think.
> >
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
>  >> vamshi wrote:
>   >>> I have server 2000 running and have created a
> security group with
>   >>> certain users added to it.
>   >>> I want these users to have local admin rights
> to all workstations in
>   >>> the domain. So I created a logn script and
> added the net localgroup
>   >>> "domaingroup" /add, and then applied to the
> domain thru gpo on the
>   >>> logon script part. for wahtever reason this is
> not adding the
>   >>> security group to the local admin group on
> the workstation. The
>   >>> rest of the script works fine though.
>  >>
>  >> Is the login script running under the user's
> credentials? They can't
>  >> grant themselves more rights than they have now.
>  >>
>  >> I strongly suggest you rethink this anyway - users
> shouldn't have
>  >> local admin rights. Very Bad Things can happen this
> way.

Hi,

You need to investigate Restricted Groups. Here you can add domain
accounts to local accounts on machines. A script won’t do that I am
afraid.

Cheers,

Lara 

-- 
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-problem-giving-domain-users-local-admim-rights-ftopict256862.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=796060

Relevant Pages

  • Re: Very Slow Login
    ... >describes how to use UserEnv logging. ... >> several workstations to log onto my domain, ... so these are all local accounts. ...
    (microsoft.public.win2000.active_directory)
  • Re: Preventing logon to local accounts
    ... filter this with a security group that contains the ... workstations that you would like to enable RDP. ... In the group policy object, click to expand Computer Configuration,click ...
    (microsoft.public.windows.server.active_directory)
  • Software Deployment to Machines
    ... Have you given the workstations read permissions on the ... I've got Office installing on boot up on the workstations ... >I created a domain local security group and made the ...
    (microsoft.public.windows.group_policy)
  • Re: Re: problem with giving domain users local admim rights
    ... > accounts to local accounts on machines. ... > Articles individually checked for conformance to usenet standards ... > Visit Topic URL to contact author (reg. ...
    (microsoft.public.win2000.group_policy)
  • RE: Restrict access to network files based on workstation?
    ... I don't believe adding workstations to a security group and adding that group ... Any user logged onto a Group A workstation can launch the application's .exe ... script I can still browse the folder. ...
    (microsoft.public.windows.server.general)
Loading