Re: Workaround for 0x8007045A (!)

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 09/17/04 

Date: Fri, 17 Sep 2004 22:50:30 +0200

Tony Vaughan wrote:

> I've just been chatting to a mate of mine who really knows what he is doing
> when it comes to network configuration. Now, if you used to use SBS under NT4
> and you created a domain user for a workstation as an administrator, the
> domain user would have full administration rights to the local machine. My
> mistake was to think that SBS 2000 and SBS 2003 did the same even though you
> will notice that they introduced templates. It would now seem that when you
> create a user as a template administrator you are giving that user
> administrative rights to the domain but not the local machine, as your
> observation proved.
>
> So, what is the solution? I tried to give the domain user access rights to
> the local machine by going into Computer Management and selecting 'Local
> Users and Groups' and adding Domain Users to the list. However, under SP2
> this didn't work so I am about to test this with a machine that doesn't have
> SP2 installed. I'll let you know how that goes.
Hi

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively (works fine for SP2 as well).

This is more secure than adding "Authenticated Domain users ",
"Domain Users" or "NT AUTHORITY\Authenticated Users" (or a group
that contains all users as you have) because you avoid the issue
with cross network admin rights (remote access) between the
computers that these groups introduces. 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Relevant Pages

  • Installing New Work Stations
    ... The machines have fresh installations of XP SP2. ... I will use this occasion to try to understand a perpetual problem that I have: Giving administrator rights to the local machine after the work station joins the domain of the Windows 2003 Server. ... Do I add "Domain Users" or "Authenticated Users" to the local machine Administrators group? ...
    (microsoft.public.windows.server.general)
  • Re: User cant connect WM5 device
    ... administrator means for the local machine. ... Administrator group and member of Domain Users group. ... login - login domain is Computername). ...
    (microsoft.public.windowsce.embedded)
  • Re: local logon locally denied for a domain user from a client workstation
    ... Ofcourse the domain users logon to the domain, not the local machine. ... - tried to logon to a domain with user 'saisab' from saisab's computer ...
    (microsoft.public.windows.server.active_directory)
  • Re: OT: Weird XP Fault
    ... >>>It's when trying to logon to the local machine only. ... Domain users with local admin access have ... Tyger Burning Bright ... Black with extra black bits ...
    (uk.rec.motorcycles)
  • Re: Membership of user in Active Directory
    ... local machine admin rights to domain users? ... >net localgroup administrators yourdomain\youruser /add ... >> assigned admininstrator rights of the local machine to ...
    (microsoft.public.win2000.active_directory)