Re: non-admins force logoff?
From: Sundaram Narayanan[MSFT] (sunnar_at_online.microsoft.com)
Date: 11/12/04
- Next message: Jody: "Re: Domain Controller Not Availalble?"
- Previous message: Richard Amirault: "Re: Win Server 2003 backup/password"
- In reply to: Todd J Heron: "Re: non-admins force logoff?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 12 Nov 2004 08:47:32 -0800
Restricted User Groups can be used to acheive this through polciy. You may
have to isolate your workstations into a single OU to make this work though.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subjected to the terms specified at http://www.microsoft.com/info/cpyright.htm. "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message news:u2Z%23X5ByEHA.2656@TK2MSFTNGP14.phx.gbl... > Ok, forget about OUs for this task. We did this in an NT 4 domain and it > worked great. > > Create a text file that contains, for all workstations in your domain: > > ComputerName,DomainUserName > > Using psexec, tip 4141 in the 'Tips & Tricks' at http://www.jsiinc.com > > @echo off > for /f "Tokens=1* Delims=," %%a in (filename.txt) do ( > psexec \\%%a [psexec stuff] net localgroup "Administrators" %%b /ADD > ) > > -or- > > An alternate method would be to use the Reskit tool usrtogrp.exe and call > it as part of the domain loginscript, which will slowly add this group to > the local administrators over time. > > Example of how to add a specific Group to the local Administrators group > on a given machine: > net localgroup Administrators domainName\GroupName /add > > -- > Todd J Heron, MCSE > Windows 2003/2000/NT > > "BFH" <BFH@discussions.microsoft.com> wrote in message > news:A4CCED34-D97A-49E1-B380-A07358536A0A@microsoft.com... >>I get the theory, but I don't see how to do it with an OU in AD - Where to >>I >> go to add my helpdesk group to the local administrators (without walking >> from >> PC to PC)? >> >> "Todd J Heron" wrote: >> >>> Best practice: >>> >>> Make the helpdesk part of a domain global group which is in the local >>> administrators group of all domain workstations (not servers). You can >>> do >>> this with an OU. This way they do not have to be domain admins. >>> >>> -- >>> Todd J Heron, MCSE >>> Windows 2003/2000/NT >>> >>> "BFH" <BFH@discussions.microsoft.com> wrote in message >>> news:DFCC3795-46BE-477D-AC5C-912E8E51AF55@microsoft.com... >>> >I have a security policy which locks PCs after 15 minutes of idle time; >>> >users >>> > see the "pc is locked, can only be unlocked by [name of user] or an >>> > administrator" message. I would like to give helpdesk personnel the >>> > right >>> > to unlock those PCs without making them all domain admins. I'm >>> > guessing >>> > there must be some User Rights Assignment in the Domain Security >>> > Policy >>> > which >>> > will do the job, but I can't find it. Any suggestions? >>> >>> >>> > >
- Next message: Jody: "Re: Domain Controller Not Availalble?"
- Previous message: Richard Amirault: "Re: Win Server 2003 backup/password"
- In reply to: Todd J Heron: "Re: non-admins force logoff?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
