Allow Admins to log on to W2K Desktop with Admin Rights

[Chris]

We want to have our support and admin staff be able to
log onto our W2K desktops with full local administrator
rights. All other users needed to have a restricted
desktop environment. Also we need to be able to manage
these permission groups via AD. We do not want these
users to have Domain Admin rights.

Can anyone help please?

 

[Oli Restorick [MVP]]

Hi Chris

You need to have all your workstations under a single OU. Then, ensure you
have a security group on the domain that has the correct membership for your
support and admin staff.

Then, create a new Group Policy object and set up a computer startup script
(Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) |
Startup

For name, use "net" and for parameters, use "localgroup administrators
domain\helpdesk /add"

This will execute the command "net localgroup administrators domain\helpdesk
/add" each time a machine affected by the policy boots.

Be aware that if a workstation falls out of scope of your GPO, the change
won't be removed from the machine.

There is a feature called "restricted groups" that behaves similarly, but
depending on OS and hotfix level it can either replace the existing
membership or add to it. The method outlined above is safer.

Hope this helps

Oli

 

[Steven L Umbach]

You can use Restricted Groups to create a global group which has your users that can
be added to the local administrators group of computers in an Organizational Unit.
See the link below for details. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

 

[Chris]

Unfortunatly my original statement was not quite correct,
we do have a number a users who require local admin
rights to run some applications. Restricted group access
removes all other members of that group, so this would
not quite fit the requirement.

Thanks for the help, any other suggestions?

 

[Guest]

The "net localgroup" command would have been perfect, but
unfortunatly the group we wish to add with the domain
name is longer than 28 characters. The command fails
with a syntax error.

Other than changing the name any further suggestions
would be greatly appreciated.

Cheers.

 

[Steven L Umbach]

Oli's suggestion would be your other option by using the net localgroup command in a
startup script. --- Steve

 

[Oli Restorick [MVP]]

Damn. I don't know of a way around that. You might want to try posting to
somewhere like microsoft.public.win2000.cmdprompt.admin or
microsoft.public.scripting.wsh in case there is another method for doing
that.

I'm not sure if you could do something with group nesting and use a shorter
name for the new group.

Regards

Oli