Re: Allowing local administration

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 12/13/04 

Date: Mon, 13 Dec 2004 18:00:57 -0000

Adding yourself to the administrators group simply gives you full control
over AD. If you want full control over all machines you should add yourself
to the domain admins group -this group is automatically added to the local
machine's administrators group when the machine joins the domain.

As a solution for your question, there's two main ways of doing this:

1. Create a group and add all users to this group. Then write a batch file
that simply contains the following:
net localgroup administrators /add domainGroupName

Add this script as a *startup* script to a GPO and link the GPO to the
domain.

2. Or, you could use the restrictive groups GPO function:
 -- http://support.microsoft.com/?id=279301
 -- http://www.jsiinc.com/SUBG/TIP3200/rh3251.htm

There'll be other ways, but these two or relatively painless and the first
things that spring to mind ;-) 

-- 
Paul Williams
http://www.msresource.net
http://forums.msresource.net
"Mike" <iamsam@nospam.com> wrote in message 
news:OKCJBOT4EHA.1392@tk2msftngp13.phx.gbl...
What I'm trying to do, I feel, should be rather easy - and common?  But I'm
not a AD administrator - just acting as such temporarily.
We have a single domain controller in a small work environment.  Most of our
users have laptops, some have PCs.
I trust our users to maintain their own systems if they so wish.  That is,
I'd like for them to have the ability to install software, change network
settings (ie, wireless outside the office), basically do anything you would
be able to do with your home PC.
How do I setup some of my users so they have the ability to perform these
functions?  I've even tried to set myself up in the administrators group,
but still can't seem to even install software without logging in as the
administrator user.
What's up?
I've been reviewing:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Which sounds right, but I can't seem to find which policy editor object to
use.
Any help please would be appreciated.

Relevant Pages

  • Re: Forcing groups into the local admin account
    ... of the Administrators group on the machines within the scope ... with the only way to change it being changing the GPO ... > domain groups to a machines local admin group via GPO. ... > current permissions except for the local admin account. ...
    (microsoft.public.windows.group_policy)
  • Re: Delegation - Password Reset - Access Denied
    ... Control Wizard from the MS TechNet web site. ... Yet a user in that group gets and error when trying to reset a password. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Administrators Group defeat the purpose of using Deligation? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need to fix Local Admin rights problem
    ... Settings/Restricted Groups) all members of the Local Administrators group ... When the techs setup the machines they add domain\users to the ... I would like to fix this with a gpo. ... I would like to allow certain groups to local admin rights on certain ...
    (microsoft.public.windows.group_policy)
  • Re: Remote Access to Services
    ... Control what is in your ... Administrators group as a start, ... control what accounts are granted the user rights ... Currently if someone on our network opens ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why does not permit logon interactively?
    ... The builtin administrators group of domain b does not include the administrator from domain a. ... Check out "Planning your access control strategy for multiple domains" and "Best practices for controlling access to shared resources across domains" ... I am using Administrator account go logon. ... User Rights Assignment "Allow logon locally" ...
    (microsoft.public.windows.server.active_directory)
Quantcast