Domain user as Local admin

[filip]

Sorry if i miss posted.
I have 100 comps join from workgroup to domain, now i found that
some users cannot run some programs, is there a way to grant domain users,
local admin rights through the domains group policy (so i do not have to go
to each computer adding the domain users to administators group)?

 

[Norbert Fehlauer [MVP]]

filip wrote:
Hi,

I have 100 comps join from workgroup to domain, now i found that
some users cannot run some programs, is there a way to grant domain
users, local admin rights through the domains group policy (so i do
not have to go to each computer adding the domain users to
administators group)?

Yes there is, but you really don't want this. Try using regmon and filemon
to find out which permission those programs need, so the can be used as
normal user.

Bye
Norbert

 

[filip]

Thx for advice, but still need to add some to be admins, if oyu could pls.
advise me on how to do this. I found something on the net, but did not work
for me.
This is what i found
Edit the GPO, navigate to:
Computer configuration, Windows Settings, restricted groups
in the right pane right-click and choose "Add group..."
In the Add Group dialog type "Administrators"
Click OK
Click Add to the right of "Members of this group"
In the add member dialog type:
Administrator;DOMAINNAME\Domain Admins; DOMAINNAME\SUPPORT <---replace
DOMAINNAME for your Domain name, replace SUPPORT for the name of your group.


But do not know if this is what i have to do on local or domain controller
pls advise on how to manage this thx

 

[Norbert Fehlauer [MVP]]

filip wrote:
Hi,

pls. advise me on how to do this. I found something on the net, but
did not work for me.
Why?

But do not know if this is what i have to do on local or domain
controller pls advise on how to manage this thx

You have to configure that in a GPO on your DC. The GPO has to apply to your
machines where you want ALL(?) your users to be local admins.

Bye
Norbert

 

[Cary Shultz]

As Norbert is suggesting, you really want to stay away from allowing your
users to be Domain Admins. Really, really really bad idea. This group
should be extremely limited.

As to allowing your user base to be members of the local computer's
Administrators group this is also a bad idea - typically. Filemon and
Regmon are really your friends here - as Norbert suggested. Often there is
a problem within the directory structure permissions (such as full access to
the TEMP folder) and/or in the registry that prevents either the user from
installing the application in the first place or, once installed, from using
it. This is what Filemon and Regmon do - tell you exactly where. Then you
go to the directory structure and change the permissions or open up regedt32
and change the permissions in the registry.

Now, as to using Restricted Groups - this is something that I like to do
(when it fits) but also know that there are other ways. One of the caveats
with Restricted Groups is that it flushes the contents of "that local group"
and replaces the membership with whatever you tell it. Many people do not
know this and do not add "Domain Admins" as one of the groups. Have fun
trying to manage that environment....

I might suggest that if you are going to do this that you actually do it
from a Windows XP Pro system on which you have the ADMINPAK and / or GPMC
installed. The GUI for Restricted Groups is not the best in the world and
if you try to do this on the Domain Controller you will run into
issues....from a workstation is much easier (because the local groups are
there....).

 

[Norbert Fehlauer [MVP]]

As Norbert is suggesting, you really want to stay away from allowing
your users to be Domain Admins.

He just wants to be all his users to be local admins on all machines, not
all users Domain admins.

Really, really really bad idea.

Both are.

Now, as to using Restricted Groups - this is something that I like to
do (when it fits) but also know that there are other ways. One of
the caveats with Restricted Groups is that it flushes the contents of
"that local group" and replaces the membership with whatever you tell
it. Many people do not know this and do not add "Domain Admins" as
one of the groups. Have fun trying to manage that environment....

You can also add and not only replace the members of those groups.

Bye
Norbert

 

[filip]

Ok, it is a problem having all as admins. But having problems like i can't
open the workspace on my secondary drive, it says i do not have the
privilages?

 

[Norbert Fehlauer [MVP]]

filip wrote:
Hi,

Ok, it is a problem having all as admins.

Yes definitivly.

But having problems like i
can't open the workspace on my secondary drive, it says i do not have
the privilages?

So?

Bye
Norbert

 

[Roger Abell [MVP]]

That storage was likely defined when the normal user was an admin,
or when using an account that is now not available since joining the
domain. In those cases you need to correct the permissions on the
storage so that it does allow those accounts that should have access.

I know you have heard this before, but giving out admin in order to
avoid the work needed to set up correct usage of limited user accounts
is not a quick fix, it is a way to make much more work longer-term.

Do the initial, one-time setup work to do it right and you will be
much, much better off. It may seem less simple, certainly less
quick - but that is only when you look at now rather than the life
of the machine.

Roger

 

[Roger Abell [MVP]]

Thx for advice, but still need to add some to be admins, if oyu could pls.
advise me on how to do this. I found something on the net, but did not
work for me.
This is what i found
Edit the GPO, navigate to:
Computer configuration, Windows Settings, restricted groups
in the right pane right-click and choose "Add group..."
In the Add Group dialog type "Administrators"
Click OK
Click Add to the right of "Members of this group"
In the add member dialog type:
Administrator;DOMAINNAME\Domain Admins; DOMAINNAME\SUPPORT <---replace
DOMAINNAME for your Domain name, replace SUPPORT for the name of your
group.


But do not know if this is what i have to do on local or domain controller
pls advise on how to manage this thx

What you tried is backwards, that is, unless you really did want to
completely redefine the membership in the Administrators group.
If one had an OU named X with a couple dozen machines in it, and
you defined a custom domain group OuXadmins that you wanted to
be in the Administrators group of all machines in OU X, and you
did not want to totally replace what is already in each machine's
Administrators group, here is what you need to do.
Define (or use existing) GPO that is linked to OU X
In that OU define a restricted group for OuXadmins.
Do not touch the Members list of the restricted group definition.
Instead, only add Administrators to the "Member of" list.
For this to work, the machines must be at minimum of XP SP2,
Windows 2000 SP4, or above (W2k3/W2k3 R2/Vista)
The effect is that OuXadmins group will be added into the
membership of Administrators group on each machine, and
no other change will be made.

However, again I also caution you, do not use this for the
purpose you have stated. That would be like intentionally
decising to drive the wrong way on a one way street.

Roger