adding to local usergroup after first login.

[Chandra via WindowsKB.com]

Hi,

In our domain, we are connected around 100 PCs. except for a user (myadmin),
we have given all other users as domain users power only.

However if any user require admin rights for their PCs we give admin rights
to their user name in that pc through the myadmin user only.

Since some of the users are changing their pcs frequently whenever they ask
admin rights to their PCs we are going to their location and giving admin
rights. We couldn't able to connect their pcs remotely through Dameware
Remote control since their user id is not even in power user group in that
local machine since their are logging to that pc with their ID for the first
time.

So, my question is, is there any way is there so that the user itself add
their user name in any one of the localgroup in that pc ?

Any help highly appreciated.

Regards
Chandra.

 

[Bruce Chambers]

Hi,

In our domain, we are connected around 100 PCs. except for a user (myadmin),
we have given all other users as domain users power only.

However if any user require admin rights for their PCs we give admin rights
to their user name in that pc through the myadmin user only.

Is the "myadmin" account a local account created on each machine? If
so, just broadcast it's password to all of the employees.

Since some of the users are changing their pcs frequently .....

Is there no IT department to control such things? Employess shouldn't
be given such free rein with expensive equipment.

.... whenever they ask
admin rights to their PCs we are going to their location and giving admin
rights. We couldn't able to connect their pcs remotely through Dameware
Remote control since their user id is not even in power user group in that
local machine since their are logging to that pc with their ID for the first
time.

That would not affect your ability to contact via DameWare. (Or using
the built-in MMC, for that matter.)

So, my question is, is there any way is there so that the user itself add
their user name in any one of the localgroup in that pc ?

Only if that user already has full administrative privileges, already.

May one ask what you're really trying to accomplish seeking to grant
your users such elevated privileges? (Beyond utterly compromising your
network's security, that is.)


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Chandra via WindowsKB.com]

Hi Bruce,

Thanks for the reply.

Since the question is not clearly understood i guess, hereby i am briefing
you the details what i am expecting.

As i told in a single domain we are using around 100 PCs in 3 floors. We as a
support engineer providing the users (domain user a/c) as power users in the
local pc. Also, software installations and troubleshooting we are undertaking
everything through remotely from our PC using Dameware Mini Control.

Some of the users are frequently will interchange their seat location (not pc)
. So, when they logon to the PC in new location with their domain user name
and password (hope its known that their user name will not be in any local
group in that PC).

So, if any user in that new location ask for software installation, we
connect their pc remotely using Dameware Minicontrol tool. We (our domain
user id is having full admin rights). Since as i said their domain user id is
not available in any of the local group in that pc, we couldn't able to
connect their pc from our pc.

So, we physically go to their place and add their user name in power users
group and then start the installation remotely from our computer.

I tried by asking them to do themselves to add their name in power users /
users (local)group in that pc. But when they issue (net localgroup "Power
Users" theirusername /add" in command prompt its saying that Access Denied to
them.

So, is there any other way to do that themselves ? FYI, in our domain for
domain users (other than us) the management console will not open as its
denied through our domain group policy.

Any help will be highly appreciated.

Hi,

[quoted text clipped - 3 lines]

However if any user require admin rights for their PCs we give admin rights
to their user name in that pc through the myadmin user only.

Is the "myadmin" account a local account created on each machine? If
so, just broadcast it's password to all of the employees.

Since some of the users are changing their pcs frequently .....

Is there no IT department to control such things? Employess shouldn't
be given such free rein with expensive equipment.

.... whenever they ask
admin rights to their PCs we are going to their location and giving admin
rights. We couldn't able to connect their pcs remotely through Dameware
Remote control since their user id is not even in power user group in that
local machine since their are logging to that pc with their ID for the first
time.

That would not affect your ability to contact via DameWare. (Or using
the built-in MMC, for that matter.)

So, my question is, is there any way is there so that the user itself add
their user name in any one of the localgroup in that pc ?

Only if that user already has full administrative privileges, already.

May one ask what you're really trying to accomplish seeking to grant
your users such elevated privileges? (Beyond utterly compromising your
network's security, that is.)