Re: Granting client local admin access via GPO to logged on user o

---

• From: ieden <ieden@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 21 Nov 2007 10:36:01 -0800

---

Use the scripting magic:

strComputer = "." Says local computer.
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Change /Administrators to desired group.
Set objUser = GetObject("WinNT://domain/user") Change //domain/user to
desired user with domain.
objGroup.Add(objUser.ADsPath) Make it happen.

Make A GPO and let her rip baby.

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://domain/user")
objGroup.Add(objUser.ADsPath)



"Danny Sanders" wrote:

I don't know how many users you are talking about but your best bet is to
log into the user's computer that they use regularly and add their domain
account to the local admin group on that computer only. When they log into
that computer they will be admin of that machine. If they log into another
computer they will be a regular user. If they access another computer
remotely they will be a regular user.

hth
DDS

"jmedd" <jmedd@xxxxxxxxxxxxxxxx> wrote in message
news:167129A4-FB10-4837-883B-D2E797CF5EC8@xxxxxxxxxxxxxxxx

Thanks for the reply.

The difference is that they only need to be admin on the machine they use
to
do things like run certain applications which need admin rights, install
printers etc.

The downside with the way we currently have this setup is that anyone with
half a brain can consequently get access to the local drives on any other
client machine. Although users are advised not to store data on their
local
machines there's a long standing culture here where they still do so
there's
a potential security concern of being able to access someone else's data.

So I only want them to have local admin rights on the machine they use.
There's very little (if any at all) concept of people sharing machines,
i.e.
a machine issued to one person is typically only used by that person.

Hopefully that makes sense.

"Danny Sanders" wrote:

Obviously this means that anybody has admin access to any machine.

What I would like to be able to achieve is the logged on user should
only
have admin access to the machine they are currently using.

I'm not seeing the difference. When a user logs into a computer they are
made administrator of that machine. If they log into another machine you
want them to be admin there also.

What is the problem with them having admin access to "any machine", when
you
allow them to log onto "any machine" and give them admin access on "any
machine" they are using?

If they *need* admin access to do their job on one machine, and they
access
that machine remotely, they are going to need admin access to the remote
machine to do their job.
If they can do their job remotely and they don't need admin access to do
their job remotely, they probably don't need admin access to do their job
when logging in locally to that same machine.

DDS

"jmedd" <jmedd@xxxxxxxxxxxxxxxx> wrote in message
news:1BDB007C-E564-4DCE-BDA6-2B08FC04A1E4@xxxxxxxxxxxxxxxx

We need to give our users local admin access to their client 2000 / XP
machines and currently this is done via a GPO which adds a 'LocalAdmin
Access' domain based group to the local administrators group. Users are
then
added to the domain based group.

Obviously this means that anybody has admin access to any machine.

What I would like to be able to achieve is the logged on user should
only
have admin access to the machine they are currently using.

Does anyone have a suggestions how this could be done via GPO?

Thanks

.

---

• References:
  • Re: Granting client local admin access via GPO to logged on user only
    • From: Danny Sanders
  • Re: Granting client local admin access via GPO to logged on user o
    • From: jmedd
  • Re: Granting client local admin access via GPO to logged on user o
    • From: Danny Sanders

• Prev by Date: Re: Duplicate SPN - but unsure how to fix!
• Next by Date: RE: AD Trusts and Firewall
• Previous by thread: Re: Granting client local admin access via GPO to logged on user o
• Next by thread: Re: Granting client local admin access via GPO to logged on user o
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Figured it out! ... and changed the account running the ... Admin access on the local machine. ... The remote share is a DFS on a 2003 ... (microsoft.public.windowsmedia.player) Re: Figured it out! ... and changed the account running the ... WMPNetworkSvc to be an account that has access to the remote share and has ... Admin access on the local machine. ... (microsoft.public.windowsmedia.player) Re: Win95 detection ... I have to do it remotely without admin access to them. ... How about null sessions? ... I've used a similar method to connect to the C:\ drive on remote Win9x systems to which I did not have admin rights. ... (Security-Basics) Re: Granting client local admin access via GPO to logged on user o ... computer they will be a regular user. ... have admin access to the machine they are currently using. ... that machine remotely, they are going to need admin access to the remote ... Does anyone have a suggestions how this could be done via GPO? ... (microsoft.public.windows.server.active_directory) Re: Domain Administrator have lost all rights ... I'm pretty sure you can't remove the default domain controller's GPO. ... >server but the Domain Admin access is still restricted. ... >that have administrator Full control permissions, ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)