Re: problem with giving domain users local admim rights

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/29/05 

Date: Fri, 28 Jan 2005 19:43:58 -0500

Lanwench, Vamsi,

comments in-line...... 

-- 
Cary W. Shultz
Roanoke, VA  24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Lanwench [MVP - Exchange]" 
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message 
news:OkIIK%23VBFHA.3320@TK2MSFTNGP10.phx.gbl...
> vamshi wrote:
>> I applied the logon script to the OU the users are in thru gropu
>> policy under user config.\windows settings\logon etc.
>
> OK - as said, a user cannot grant himself more permissions than he already
> has.
Correct!  Think about the consequences were this not the case.  Network 
Security would be a complete farce.  Users would be able to make themselves 
members of the local Administrators group and God knows whatelse.
This logon script would actually need to be a start up script.
And, there is a much better way to do this.  Look into the Restricted Groups 
GPO.  Here are two MSKB Articles that will get you going:
http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076
>> they need admin rights because we are cconstantly evaluating new
>> software from companies we do business with. And also there are
>> updates to these third parry programs that come out on a monthly
>> basis. This would allow users to install stuff llike hotbar and
>> weatherbug, but we can scan the network for those and have users
>> remove it. It would be less administration if users had admin rights.
>> and anybody that abuses those privilges will be dealt with on a case
>> by case basis.
You might want to look into the Restricted Software GPO to help out with 
this.  Granted, in a WIN2000 environment there is an easy way around this 
for the end-user ( simply rename the .exe or whatever ) but with WIN2003 
this is not possible as a hash is used...renaming the .exe or whatever does 
not make a hill of beans of difference.
You also might want to take a workstation and try to install the software on 
it.  Assuming that this fails then you might want to take a look at regmon 
and filemon from http://www.sysinternals.com to figure out where the failure 
is occuring.
>> Should i run this script at statup instead
>
> You need to run it under computer, not user, I think.
>>
>>
>> "Lanwench [MVP - Exchange]" wrote:
>>
>>> vamshi wrote:
>>>> I have server 2000 running and  have created a security group with
>>>> certain users added to it.
>>>> I want these users to have local admin rights to all workstations in
>>>> the domain. So I created a logn script and added the net localgroup
>>>> "domain\group" /add, and then applied to the domain thru gpo on the
>>>> logon script part. for wahtever reason this is not adding the
>>>>  security group to the local admin group on the workstation. The
>>>> rest of the script works fine though.
>>>
>>> Is the login script running under the user's credentials? They can't
>>> grant themselves more rights than they have now.
>>>
>>> I strongly suggest you rethink this anyway - users shouldn't have
>>> local admin rights. Very Bad Things can happen this way.
I will spare you the stories that I could tell you about users deleting all 
of their fonts because they needed special fonts and did not want to have to 
remember which ones were special or about the users who deleted a ton of 
things to make room for their music files or......
I never never never encourage this and do just about everything to prevent 
this.  Domain user account objects should be in the USERS or at most POWER 
USERS local groups....no more.

Relevant Pages

  • Re: problem with giving domain users local admim rights
    ... I applied the logon script to the OU the users are in thru gropu policy under ... they need admin rights because we are cconstantly evaluating new software ... >> security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • Re: problem with giving domain users local admim rights
    ... > I want these users to have local admin rights to all workstations in ... So I created a logn script and added the net localgroup ... > security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • Re: Changing local admin PW using vb logon script - can it be encrypted?
    ... One should also note that any login script in sysvol is, by default, readable by all authenticated users. ... Changing local admin PW using vb logon script - can it be encrypted? ... We have roughly 500 computers that we'd like to change the local admin passwords on. ...
    (Focus-Microsoft)
  • Re: using logon script to record value from HKCU to text file....
    ... You shouldn't need admin rights to read/write to HKCU as the current ... In VBScript, it's pretty easy. ... it works great if the user when they logon have local admin rights. ... logon script. ...
    (microsoft.public.scripting.vbscript)
  • Re: Changing the local admin password base on the computers OU
    ... The intent is to put thsi script in a GPO that runs everytime the ... allowing us to cahnge local admin passwords pretty ... Your script appears to check for group membership. ... object and use the Parent method to retrieve the ADsPath of the parent ...
    (microsoft.public.scripting.vbscript)
Loading