RE: Giving Accounts Local Computer Admin Privledge

Hi Jeremy,

Thank you for posting in SBS newsgroup.

>From the description, I understand the issue to be: you want to give local
computer admin permission to domain user but not domain admin permission.
If I have misunderstood your concerns, please do not hesitate to let me
know.

As I know, when a workstation (Windows 2000/XP) is joined in a Windows
2000/2003 domain, the Domain Admins group is automatically added to the
local Administrators group and the domain user account you used to join the
computer in the domain is not added to the group by default. However if you
join the computers in the domain by running the
http://servername/connectcomputer wizard, the user account should be able
to be added to the local administrators group. Therefore I guess you joined
the computers in the domain manually. If you want to add the users to the
local administrators group. you have to perform the following steps on each
client computer on which you want to assign the administrative privileges
to the user:

1. On the client computer, log on using a user account which is a member of
the Domain Admins group. If you want the user to add his account to the
local Administrators group himself, the user must log on his computer
locally using the local Administrator account.

2. Right click the My Computer icon on the desktop and choose Manage.

2. Expand to Local Users and Computers\Groups.

3. Double click on the Administrators group.

4. Click Add.

5. Click Locations. In the list box, choose "Entire Directory" and click OK.

6. Type in the user account or the user's full name and click "Check
Names". Make sure the user name appears as "Domain\UserAccount". If you are
prompted for user name and password, using the account which you are just
adding.

7. Click OK.

If the users cannot do the above steps and you do not want to go to the
client computers one by one, you can use the cusrmgr.exe Windows 2000
Resource Kit tool to add the user accounts on the server:

1. Download the attached cusrmgr.zip file, unzip it, rename the file from
cusrmgr.ex_ to cusrmgr.exe and then put the cusrmgr.exe file to the
C:\Windows\System32 folder.

2. Open a command prompt on the server to add a domain user to a remote
client's local administrators group. For example:

cusrmgr.exe -m \\Computer1 -alg Administrators -u abc

This command line will add the domain user account abc to the client
computer Computer1's local Administrators group.

Report the command line with all the computers and corresponding user
accounts. For more information, see:

297307 How to Add a Master Domain Administrator Account to the Local
http://support.microsoft.com/?id=297307

Hope it helps.

Please do not hesitate to let me know if you have any further concerns. I
will look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Jeremy Dillinger" <jerdill@xxxxxxxxxxx>
| Subject: Giving Accounts Local Computer Admin Privledge
| Date: Tue, 3 Jan 2006 15:23:35 -0500
|| Newsgroups: microsoft.public.windows.server.sbs
| |
| Is there a way I can give accounts in Active Directory Local Computer
Admin
| Privledge without giving them domain admin privledge? How can I go about
| doing this? Thanks!
|
| Jeremy
|
|
|

Attachment:
cusrmgr.zip

Description: Binary data