Re: Re: problem with giving domain users local admim rights

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/29/05 

Date: Fri, 28 Jan 2005 20:37:12 -0600

You can use a script to add domain user/group to the local administrators
group of domain computers using the "net localgroup" command. It must
however be a startup script which will then run in system context. It works
well in situations where you do not want to use restricted groups due to the
fact that it may remove all current users/groups in the local administrators
group of the domain computer. --- Steve

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41fadccb$1_4@alt.athenanews.com...
> "Lanwench MVP - Exc" wrote:
> > vamshi wrote:
> > > I applied the logon script to the OU the users are in thru
> > gropu
> > > policy under user config.windows settingslogon etc.
> >
> > OK - as said, a user cannot grant himself more permissions
> > than he already
> > has.
> >
> > > they need admin rights because we are cconstantly evaluating
> > new
> > > software from companies we do business with. And also there
> > are
> > > updates to these third parry programs that come out on a
> > monthly
> > > basis. This would allow users to install stuff llike hotbar
> > and
> > > weatherbug, but we can scan the network for those and have
> > users
> > > remove it. It would be less administration if users had
> > admin rights.
> > > and anybody that abuses those privilges will be dealt with
> > on a case
> > > by case basis.
> > >
> > > Should i run this script at statup instead
> >
> > You need to run it under computer, not user, I think.
> > >
> > >
> > > "Lanwench [MVP - Exchange]" wrote:
> > >
> > way.
>
> Hi,
>
> You need to investigate Restricted Groups. Here you can add domain
> accounts to local accounts on machines. A script won't do that I am
> afraid.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-problem-giving-domain-users-local-admim-rights-ftopict256862.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=796060

Relevant Pages

  • Re: Hacked Workstations
    ... You can use Group Policy to ... You could create a startup script that uses the command [net user ... administrator newpassword] which would assign the built in administrator a ... they may eventually catch on but for domain computers you could put the ...
    (microsoft.public.win2000.security)
  • Re: Encrypted password in script
    ... account must be a member of the local Administrators group. ... you can use a StartUp script to change ...
    (microsoft.public.scripting.wsh)
  • Re: Hacked Workstations
    ... You can use Group Policy to ... > You could create a startup script that uses the command [net user ... > administrator newpassword] which would assign the built in administrator a ... > they may eventually catch on but for domain computers you could put the ...
    (microsoft.public.win2000.security)
  • Re: User type
    ... > you created to Local Administrators group on the computers. ... > The way I usually do it is by using a script like this ... >> them to the Domanin Admin group? ...
    (microsoft.public.windows.server.setup)
  • Re: I need to give an AD user the ability to install SW on PCs
    ... user logging in would have to have local Administrators access to add ... Maybe startup script would work but I ... Just slap the computers in question in comps.txt (grab your computers from ... Have you already had a look at "Restricted Groups"? ...
    (microsoft.public.windows.group_policy)