Re: User type
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Tue, 4 Oct 2005 06:14:37 +0200
If the computer is member of domain then you should use domain user
accounts. You could create new domain user account that is not member of
Domain Administrators group (actually you only leave it in default group --
Domain User). Add this computer account to new domain group called e.g.
"Local Admins"
After you have this account and group created you can write a short script
that will add "Local Admins" group to the "Administrators" group in local
administrator and make your users local administrators. The script can be
something like this:
net localgroup administrators "Domain\Local Admins" /add
Replace Domain with netbios name of domain where and Local_Admins is domain
group where your users who need to be local admins are located. Put above
command in batch file and run it as startup script (not logon script) using
your Active Directory. This way you don't have to go from computer to
computer to make changes to your PCs. After restart of your domain computers
above script will run and add domain group to local Administrators group and
your users will have administrative permissions on every computer in domain
where script run.
I hope this helps,
--
Mike
Microsoft MVP - Windows Security
"John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
news:ecqnBbtwFHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
>I want them to authenticate from a client computer (local) and have admin
>rights on that.
>
> They have romaing profiles.
>
>
> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
> news:OkTmex6vFHA.3300@xxxxxxxxxxxxxxxxxxxxxxx
>> OK lets go back a bit. Where would you like them to be Administrators
>> (e.g. on their own PCs) and what tasks do they need to perform.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>> news:OCuz7E4vFHA.1716@xxxxxxxxxxxxxxxxxxxxxxx
>>> Ok - I'm confused.
>>>
>>> Are you telling me to create the Local_Admins folder on the domain (as a
>>> domain group) under active directory and then go to each computer aand
>>> add the startup command line to the local policy?
>>>
>>> or
>>>
>>> Do I do it all on the local computer/client?
>>>
>>> I was hoping for a simple - one step for all- solution. I am constantly
>>> changing the users in this group.
>>>
>>> thx
>>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>>> news:%23DWLxbDnFHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi,
>>>>
>>>> If you would like to make a group of users only local administrators on
>>>> the computers in e.g. domain then add domain group with these yours
>>>> that you created to Local Administrators group on the computers. You
>>>> can do it manually or using script
>>>>
>>>> The way I usually do it is by using a script like this
>>>>
>>>> net localgroup administrators "Domain\Local_Admins" /add
>>>>
>>>> Replace Domain with netbios name of domain where and Local_Admins is
>>>> domain group where your users who need to be local admins are located.
>>>> Put above command in batch file and run it as startup script (not logon
>>>> script).
>>>>
>>>> This will make members of Local_Admins group local administrators on
>>>> the computers where script will run, while they won't be domain
>>>> administrators.
>>>>
>>>> I hope it helps you out,
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>>
>>>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>>>> news:OG93AtBnFHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> How do I setup a group of users, to be administrators, without adding
>>>>> them to the Domanin Admin group?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: User type
- From: North Coast Sea Foods
- Re: User type
- From: John Leonard - Sage
- Re: User type
- Prev by Date: Re: W2K3 Sp1 event IDs 50,26 and 333
- Next by Date: Re: ntdsutil does not find the DC i need to remove
- Previous by thread: W2K3 Sp1 event IDs 50,26 and 333
- Next by thread: Re: User type
- Index(es):
Relevant Pages
|
