Re: User type
- From: "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx>
- Date: Fri, 7 Oct 2005 09:54:53 -0400
Mike
I miss-read you message - I now know that I must handle this in the startup
of the group - on the domain.
Thanks
"John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
news:eosi1J0yFHA.720@xxxxxxxxxxxxxxxxxxxxxxx
> This does help Mike - thanks
>
> I still have to go to each workstation and add the BAT file to the
> startup.
>
> I was hoping to avoid that.
>
>
> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
> news:OrOSjoJyFHA.3624@xxxxxxxxxxxxxxxxxxxxxxx
>> If the computer is member of domain then you should use domain user
>> accounts. You could create new domain user account that is not member of
>> Domain Administrators group (actually you only leave it in default
>> group -- Domain User). Add this computer account to new domain group
>> called e.g. "Local Admins"
>>
>> After you have this account and group created you can write a short
>> script that will add "Local Admins" group to the "Administrators" group
>> in local administrator and make your users local administrators. The
>> script can be something like this:
>>
>> net localgroup administrators "Domain\Local Admins" /add
>>
>> Replace Domain with netbios name of domain where and Local_Admins is
>> domain group where your users who need to be local admins are located.
>> Put above command in batch file and run it as startup script (not logon
>> script) using your Active Directory. This way you don't have to go from
>> computer to computer to make changes to your PCs. After restart of your
>> domain computers above script will run and add domain group to local
>> Administrators group and your users will have administrative permissions
>> on every computer in domain where script run.
>>
>> I hope this helps,
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>> news:ecqnBbtwFHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
>>>I want them to authenticate from a client computer (local) and have admin
>>>rights on that.
>>>
>>> They have romaing profiles.
>>>
>>>
>>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>>> news:OkTmex6vFHA.3300@xxxxxxxxxxxxxxxxxxxxxxx
>>>> OK lets go back a bit. Where would you like them to be Administrators
>>>> (e.g. on their own PCs) and what tasks do they need to perform.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>>
>>>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>>>> news:OCuz7E4vFHA.1716@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Ok - I'm confused.
>>>>>
>>>>> Are you telling me to create the Local_Admins folder on the domain (as
>>>>> a domain group) under active directory and then go to each computer
>>>>> aand add the startup command line to the local policy?
>>>>>
>>>>> or
>>>>>
>>>>> Do I do it all on the local computer/client?
>>>>>
>>>>> I was hoping for a simple - one step for all- solution. I am
>>>>> constantly changing the users in this group.
>>>>>
>>>>> thx
>>>>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>>>>> news:%23DWLxbDnFHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Hi,
>>>>>>
>>>>>> If you would like to make a group of users only local administrators
>>>>>> on the computers in e.g. domain then add domain group with these
>>>>>> yours that you created to Local Administrators group on the
>>>>>> computers. You can do it manually or using script
>>>>>>
>>>>>> The way I usually do it is by using a script like this
>>>>>>
>>>>>> net localgroup administrators "Domain\Local_Admins" /add
>>>>>>
>>>>>> Replace Domain with netbios name of domain where and Local_Admins is
>>>>>> domain group where your users who need to be local admins are
>>>>>> located.
>>>>>> Put above command in batch file and run it as startup script (not
>>>>>> logon script).
>>>>>>
>>>>>> This will make members of Local_Admins group local administrators on
>>>>>> the computers where script will run, while they won't be domain
>>>>>> administrators.
>>>>>>
>>>>>> I hope it helps you out,
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>>
>>>>>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>>>>>> news:OG93AtBnFHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> How do I setup a group of users, to be administrators, without
>>>>>>> adding them to the Domanin Admin group?
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Re: User type
- From: Miha Pihler [MVP]
- Re: User type
- From: John Leonard - Sage
- Re: User type
- Prev by Date: Unattended Installation of Windows 2003
- Next by Date: Re: Upgraded to Windows 2003
- Previous by thread: Re: User type
- Next by thread: Re: User type
- Index(es):
Relevant Pages
|
