Re: Workstation Adm.-rights Domain

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 11/28/04 

Date: Sun, 28 Nov 2004 17:57:13 -0500

BUR wrote:
> We have 200 computers driving Windows XP. All connected in a Windows
> 2000 server domain.
> For ediocational purpose out studenst have administrator rights on
> the local machines.

What does this mean, for educational purposes?

> I found a solution for this, bur it is NOT a good solution.
> I made Domain Users member of the local AdministratorsGroup.
> BUT: This means that a student on machine has rights on every other
> workstation in the domain. BAD IDEA !

I'd say it's a bad idea to grant any user any admin rights whatsoever.

> Also a virus could spread this way.

Well, a virus can spread many ways. Are all your computers & servers
protected to the gills - updated regularly with all patches/SPs, good
current centrally managed antivirus software that is updated regularly and
which they can't unload (although note that an admin can always stop a
service).
>
> How do I solve this ?
> I was thinking tha I could make "Current User" og something like that,
> member og the Local Administrator Group.
> I also try to remember something about Authenticated User, but I
> can't find it anywhere.

That won't be any different. If you want Joe to have local admin rights on a
PC, you have to add Joe to the local admins group. I don't know whether you
can do anything in your login script/policies, but you might be able to.

Again, I do not recommend this at all. If this is a computer lab, isolate
the network from the rest and get used to cloning/restoring computer images.
>
> Any one have an idea ?

>
> Sorry about the poor english ;-)

No problem - you were very clear. However, in the future note that this is a
Windows Update newsgroup - not the best place for your question. Next time
post in one for your OS version.
>
> BUR

Relevant Pages

  • Re: URGENT! Computer Name Change = No Admin Login
    ... Kerry ... > Windows may cause problems and should only be used as a last resort. ... > Another thing to try is to have the administrator use the Active Directory ... > Users and Computers snap in to add the new computer name to the ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: ADMT2, cannot migrate computers, access denied
    ... > and manually place the new domain's administrator and ... > Windows 2003 domain. ... Run ADMT tool to migrate the computers from Windows NT ...
    (microsoft.public.windows.server.migration)
  • Re: Windows Client and Server Security
    ... I am working as a System Administrator in ... > these Computers. ... > He thinks that we should give all the Users, Administrator rights. ... If you have badly-written software that requires local admin rights, ...
    (microsoft.public.win2000.security)
  • Re: new user with different privileges
    ... include groups that the user is a member of on the computers that they ... Make sure that the user is not a local administrator if you do not want them ... user a local administrator, restrictive ntfs permissions, and Group Policy ... Windows 2000 and there is another similar GP setting for run "only" allowed ...
    (microsoft.public.windows.server.security)
  • Destroy, Corrupt, Permanently Delete Remote Instructions, please.
    ... running Windows XP Pro and Windows 98SE. ... I've tried using the instructions for local policy, ... someone continually logs on as Administrator, ... computers rendering them unable to access the internet and undoubtedly, ...
    (microsoft.public.windowsxp.work_remotely)