Re: Change local admin settings

Tech-Archive recommends: Fix windows errors by optimizing your registry

Adrian Marsh (NNTP) wrote:
Hi Terence,

99% of my machines were added via normal AD, not using SBS wizards.
I understand Scenario 2, but its not really practible - I'm the only
IT guy, supporting 100 desktop/laptops (60 users), and I can't visit
every one.

You could script, batch it, or do it through remote management tools. What's
your preference?


Terence Liu [MSFT] wrote:
Hello Adrian,

Thank you for posting here.

According to your description, I understand that you want the domain
user account can only admin of its own computer. If I have
misunderstood the problem, please don't hesitate to let me know.

Based on my research, your goal achieve automatic by connectcomputer
wizard of SBS.

When you on the client computer, access the web site
http://SBSname/connectcomputer/, the web site will run a wizard to
join the client computer to SBS domain. In the wizard, you will
prompt to select a domain user account to assign to this computer.
This domain user account will be add to this computer's local
administrators group automatic. Therefore, after you run the
connectcomputer wizard to join a client to SBS domain, the assigned
user account will be the client computer's administrators. And, the
other users will only be the client computer's users.

Therefore, there are 2 scenarios:

Scenario 1: You had used connectcomputer wizard to join the client
computers to SBS domain

We only have to remove the Domain Users from the Restricted
Administrators Group

Scenario 2: You had used general windows 2003 method to join the
client computers to SBS domain

a. Remove the Domain Users from the Restricted Administrators Group

b. Disjoin client to SBS domain: Client computer->control
panel->system->computer name tab->Change button, select workgroup,
click OK and restart the computer.

c. Rejoin SBS domain via connectcomputer wizard

For the Lab PC, if you want every domain user can install
application on it, please manually add the domain users to local
administrators group.

1. On Lab PC, right click My Computer, select manage
2. Extend System Tools->Local Users and Groups->Groups, double click
Administrators
3. Add "Domain Users" in the list, click OK.

Additional, if you want to resolve this issue by customize logon
script, I suggest you repost your issue in MSDN newsgroup:
http://msdn.microsoft.com/newsgroups/default.asp

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have
issues regarding other Microsoft products, you'd better post in the
corresponding newsgroups so that they can be resolved in an
efficient and timely manner. You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you
check the "Notify me of replies" box to receive e-mail notifications
when there are any updates in your thread. When responding to posts
via your newsreader, please "Reply to Group" so that others may
learn and benefit from your issue.

Microsoft engineers can only focus on one issue per thread. Although
we provide other information for your reference, we recommend you
post different incidents in different threads to keep the thread
clean. In doing so, it will ensure your issues are resolved in a
timely manner.

For urgent issues, you may want to contact Microsoft CSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
Date: Thu, 19 Jul 2007 19:25:25 +0100
From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
Subject: Change local admin settings
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 000757-4, 18/07/2007), Outbound message
X-Antivirus-Status: Clean
Message-ID: <e6aQoIjyHHA.1212@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: office.ubiquisys.com 88.96.204.222
Lines: 1
Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.sbs:51403 X-Tomcat-NG:
microsoft.public.windows.server.sbs

Hi All,

I've a scripting dilemma for you. When we first setup our SBS 2003
server, I was asked to make it simple (working only 1 hour a week..,
remotely)

At the time, the simplest setup was to make each user a local
admin, so they could install apps etc.

I did this by adding the Domain Users group to the Restricted Groups
"Administrators" group. This gave easiest setup, as users could
share and cross use PCs as need be.

However, I now need to break this up. Our company has grown. I have
a bunch of "corporate PCs" (around 60), and a bunch of "Lab PCs".

I'd like to change the Corporate PCs, so that each user is still an
Admin of their local PC, but does not necessarily have access to
other peoples PCs. The lab PCs are shared via a single user account
anyway.

Heres my dilemma:

If I just remove the Domain Users from the Restricted Group, then
obviously end users just loose admin access. But I need to maintain
each user has access to their own PC.

I was thinking of adding a logon script, that ran as a domain admin
account (runas or something), that then added that user to the
local PCs admin group, something based around this document:


http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.
mspx

This way, even though the domain policy has been freed the
Restricted Group, the logon script would hopefully add them back in
before they'd notice.

Can anyone suggest a better idea?

Cheers,

Adrian

--
/kj


.

Quantcast