Re: Automatically making AD users local administrators on computers in SBS 2003
- From: "Chad A. Gross [SBS MVP]" <chad.gross@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 17 Apr 2005 13:28:41 -0500
But that gets cumbersome . . . e.g. you've already deployed your SBS &
workstations (via ConnectComputer) - and three months later you have a new
user that you want to be a local Admin on all workstations (which I'll point
out up front isn't a great idea anyway . . . stupid insecure apps . . .
but I digress . . . ) There's no additional benefit to re-running the
ConnecetComuter wizard on each machine - because if you have to touch each
workstation, why not just add the user as an Admin versus running the
ConnectComputer wizard?
In this scenario, you have three options - and they'll all involve touching
each workstation - but you'll be good to go moving forward.
1) On each PC, add the INTERACTIVE group to the Administrators group.
This will automatically give each user that logs in local Admin rights.
Downside is that if you ever want a user to not have local admin rights, you
won't be able to restrict them as long as you have this configuration.
2) Create a Security Group within AD (e.g. Local Admins). On each
workstation, add the domain Local Admins group you created to the local
Administrators group. Then on your SBS, add your existing users to the
Local Admins group, and create a new user template that includes Local
Admins group membership. When you create a new user, use the custom
template and they'll be included in the Local Admins security group, which
will give them local admin rights on the machines where you added the Local
Admins group to the local Administrators group.
3) Preferred solution: Don't give users local admin rights. Find your
problem apps that don't run as a restricted user and start nagging the
vendor. Ask why they find exposing your business to undue risk as a
justified business practice on their part. Find what directories / reg keys
those apps want access to and tweak the permissions accordingly to allow
restricted users to be able to access those locations (and thus run the
problem apps).
--
Chad A. Gross - SBS MVP
SBS ROCKS!
www.msmvps.com/cgross
www.gosbs.org
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> Run the connect computer wizard and that's exactly what is done.
>
> Bob Genestet wrote:
>> Is there any way to automatically add new AD users as local
>> administrators to each client computer. I tried to rerun the
>> "Network Configuration Wizard" to add newly added multiple AD users
>> to client computers except that the wizard will not run again if it
>> detects the computer is already a member of the domain. It would be
>> nice to have the server to automatically assign local rights when a
>> new user logs on at a computer. Is this possible? Thanks,
>> Bob
.
- Follow-Ups:
- References:
- Automatically making AD users local administrators on computers in SBS 2003
- From: Bob Genestet
- Re: Automatically making AD users local administrators on computers in SBS 2003
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Automatically making AD users local administrators on computers in SBS 2003
- Prev by Date: Re: Creating a network bridge on SBS2003 and on a workstation? Possible?
- Next by Date: Re: Trend CSM for SMB (Hotfixes) not updating on laptops
- Previous by thread: Re: Automatically making AD users local administrators on computers in SBS 2003
- Next by thread: Re: Automatically making AD users local administrators on computers in SBS 2003
- Index(es):
Relevant Pages
|
Loading
