Re: Automatically making AD users local administrators on computers in SBS 2003

You have to remember that even though you give the user a different account
to install software and then they logoff and back in as themselves, it still
might not work if the software does not have the "Designed for XP/2000" logo
certification. If it isn't, you are going to have to touch the workstation
to figure out what file or registry permissions need to be changed to allow
it to work.

--
Rick Faria - MCSE / A+
RDF Technical Services - www.rdfts.com
Email: support at rdfts dot com


"Bob Genestet" <bob_genestet@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23oPC005QFHA.2996@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks everyone, for the excellent discussion.
> I am in total agreement that it is best practice to adhere to a "least is
> best" when assigning user rights. It used to be that a company policy was
> enough to prevent misuse, but not anymore given the increasing presence of
> malicious software installing itself by impersonating the currently logged
> on user.
> My goal is to give some control back to those clients requesting it and at
> the same time protect them from unwanted malicious software. I believe
> that implementing firewalls, antivirus, antispyware, patching, and company
> usage policy are fundamental to good security. These are relatively
> automatic and do not require an administrator's ongoing presence.
>
> I think I will set up an account as Chad suggested using option 2 and
> provide the client this account and password. When an employee needs to
> install some new software that requires local administrative rights, they
> can use this special local administrator account. I suppose you could set
> up everyone with a second account having local administrative rights to
> use for software installation. The incentive to not use their local
> administrative account except for software installation would be their
> email not available under that account.
>
> I would like to find a simpler, more transparent method that would allow
> programs that require local administrative rights to install correctly
> from a logon script. Is anyone familiar with EPAL (Elevated Privileges
> Application Launcher)?
> http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=CF3CC921-9B8E-4266-A905-2E2A20217CE0
>
> I also ran across this product which might provide a solution.
> http://www.emco.is/tutorials/runasprofessional/how_to_create_runas_action/how_to_create_runas_action.html
>
> I suppose Microsoft SMS offers a solution to this problem although a
> little pricey for my clientele.
>
> Thanks to all,
> Bob
>
> "Chad A. Gross [SBS MVP]" <chad.gross@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:uqNcNt3QFHA.244@xxxxxxxxxxxxxxxxxxxxxxx
>> But that gets cumbersome . . . e.g. you've already deployed your SBS &
>> workstations (via ConnectComputer) - and three months later you have a
>> new user that you want to be a local Admin on all workstations (which
>> I'll point out up front isn't a great idea anyway . . . stupid insecure
>> apps . . . but I digress . . . ) There's no additional benefit to
>> re-running the ConnecetComuter wizard on each machine - because if you
>> have to touch each workstation, why not just add the user as an Admin
>> versus running the ConnectComputer wizard?
>>
>> In this scenario, you have three options - and they'll all involve
>> touching each workstation - but you'll be good to go moving forward.
>>
>> 1) On each PC, add the INTERACTIVE group to the Administrators group.
>> This will automatically give each user that logs in local Admin rights.
>> Downside is that if you ever want a user to not have local admin rights,
>> you won't be able to restrict them as long as you have this
>> configuration.
>>
>> 2) Create a Security Group within AD (e.g. Local Admins). On each
>> workstation, add the domain Local Admins group you created to the local
>> Administrators group. Then on your SBS, add your existing users to the
>> Local Admins group, and create a new user template that includes Local
>> Admins group membership. When you create a new user, use the custom
>> template and they'll be included in the Local Admins security group,
>> which will give them local admin rights on the machines where you added
>> the Local Admins group to the local Administrators group.
>>
>> 3) Preferred solution: Don't give users local admin rights. Find
>> your problem apps that don't run as a restricted user and start nagging
>> the vendor. Ask why they find exposing your business to undue risk as a
>> justified business practice on their part. Find what directories / reg
>> keys those apps want access to and tweak the permissions accordingly to
>> allow restricted users to be able to access those locations (and thus run
>> the problem apps).
>>
>> --
>>
>> Chad A. Gross - SBS MVP
>> SBS ROCKS!
>>
>> www.msmvps.com/cgross
>> www.gosbs.org
>>
>>
>> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
>>> Run the connect computer wizard and that's exactly what is done.
>>>
>>> Bob Genestet wrote:
>>>> Is there any way to automatically add new AD users as local
>>>> administrators to each client computer. I tried to rerun the
>>>> "Network Configuration Wizard" to add newly added multiple AD users
>>>> to client computers except that the wizard will not run again if it
>>>> detects the computer is already a member of the domain. It would be
>>>> nice to have the server to automatically assign local rights when a
>>>> new user logs on at a computer. Is this possible? Thanks,
>>>> Bob
>>
>>
>
>


.

Relevant Pages

  • RE: Why should we disable local administrator accounts?
    ... I understand that you have concerns on disabling local Administrator ... Account on client workstations in SBS domain. ... At least if your local admin passwords are ...
    (microsoft.public.windows.server.sbs)
  • Re: SMS 2003 must use domain admin. to install?
    ... You need to add the MEMBER_SERVER$ to the local admin group on the DC. ... you want to publish in AD you have to give the same account full control ... >>> I try to install SMS2003 using advanced security, ...
    (microsoft.public.sms.setup)
  • Re: Creating folder - Marina Roos
    ... the same user account also created in the local computer ... and add to local admin group aswell. ... This program will install per user ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Change local admin passwords on all domain PCs
    ... Again, another desktop deployment question... ... I have seen companies assign the local Administrator password during the build process. ... They also have a domain user account, which is added to the local Administrators group, that has the necessary permissions to join the PC to the domain and perform post-installation tasks. ... How do you handle it with saving the local admin password, when you have to logon locally without the domain? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Preventing Users from removing their PC from the Domain
    ... It is the machine local admin that controls disposition of the machine ... valid domain credentials were or were not provided so that the ... account, but you will notice the object displayed with the round red x ... if you are logged on as a local administrator. ...
    (microsoft.public.win2000.security)