Re: Add domain user to Local Administrators Group on a workstation



In news:18D2CA45-1FED-4422-881F-AFE187BC8A56@xxxxxxxxxxxxx,
Curt Winter <CurtWinter@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
How can I do it centrally when I need to add the user of the computer
to the local administrators group?

It's a domain user, right? You can do this in several ways. You can manage
the computer and edit the local administrator group membership, from your
DC. You can use restricted groups. You can "use net localgroup
administrators domain\username /add " in a computer startup script, as I
mentioned.


"Lanwench [MVP - Exchange]" wrote:



In news:F9B5C1B6-3FD9-4341-BC9B-B6639E00B4F3@xxxxxxxxxxxxx,
Curt Winter <CurtWinter@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
ok I have set-up a brand new Windows 2003 R2 AD, it is running DNS.

When I log on with the DOMAIN ADMINISTRATOR account on any of the
workstation in the domain and try and add a domain user to the local
Administrators Group, it does not show me the domain or allow me to
add users from the domain. On the comuters properties it shows the
machine as on the domain. I can attach to and user Domain
resources, IE printers, shared folders. But it only shows me local
computer users and groups.

You ought to be able to change the context to the domain, from the
local workstation, within that dialog box. Is your internal DNS set
up properly?

Note - it might be easier to do what you're doing centrally, either
via restricted groups & group policy, or even by running a startup
script with

net localgroup administrators domain\domaingroup /add

or something like it.


In another windows 2000 AD domain I manage I go in a regularly add
domain users into the local computer groups without issue.

Is there some policy I must change in Server 2003 to accomplish
this? is this now locked down my microsoft and something I have to
open up to be able to do?

Any help would be appriciated.

Thank you.

Curt Winter


.

Relevant Pages

  • Re: Group Policy
    ... I am not a fan of putting any domain user account object in the local ... they are members of the local Administrators group then they can do anything ... I might suggest that you take a spin over to the Group Policy news group. ...
    (microsoft.public.win2000.active_directory)
  • Re: Give Domain Users Local Admin Rights
    ... I know that I could add the indivdual domain user to the ... they do not have local admin ... >> I added DOMAIN USERS to the local administrators group ... >> are logged on to without giving them Local Admin rights ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Securing access to network registry
    ... >Thank you for the posting. ... >This is normal because your domain user account is in the ... >registry keys because they are not in the administrators ... >Anyone in the administrators group can have access to the ...
    (microsoft.public.win2000.security)
  • Re: Computer user & domain user
    ... I normally configure two accounts for each workstation. ... Administrators group, it works fine. ... >> software between computer user & domain user in a Windows XP Pro ... > will automatically have permissions for domain users too. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Securing access to network registry
    ... >Thank you for the posting. ... >This is normal because your domain user account is in the ... >registry keys because they are not in the administrators ... >Anyone in the administrators group can have access to the ...
    (microsoft.public.win2000.security)
Loading