Arno said:
I am trying to add users to the administrator group on the local
computer. Going to computer management and then to groups.
Double clicking on the group administrators.
The locations only show the local computer, not the domain. So I can
not add domain users to the local administrator group.
How do I get the domain to appear in the location?
Is this computer joined to the domain already?
Post an unedited ipconfig /all from this client.....
Also, if you have AD, it's a lot easier to handle stuff like this via group
policy. You can look into Restricted Groups, but I personally like using a
startup script applied to all desktops via GPO -
I tend to set up AD groups called LocalAdmin, LocalPowerUser, to make this
easier. You can also create one for Remote Desktop access, too - in this
case, RDaccess.
The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDaccess /add
.........
When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself
....then remove them from the domain LocalAdmin group on the domain when
done.
You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).
Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.
THAT SAID - it's not good practice to let users have local admin rights - so
if you have software that won't behave properly without admin rights, try to
correct it. First holler at the software developer, but then try downloading
Process Explorer from Microsoft (a sysinternals utility) to see what the app
is trying to do. You can then modify permissions in the file system/registry
appropriately, to let ordinary users have the access the software needs.