Dymanic Local Administrator / PowerUser

[Stefan]

Hello,

I have a Windows 2003 Active Directory network with one domain.
We're planning to roll out Windows XP pc's in te near future (now all
pc's are Windows 98).

What I would like to accomplish is 'dynamic local administrator',
which is derived from Novell ZenWorks (dynamic local user).

I would like a normal user to logon on a Windows XP workstation, at
the moment he/she logs in it must be added to the local
Administrator/Poweruser group and this rights have to be active
immediately. Also at logoff these rights must be removed (or all but
the current user should be removed at logon).

I know I can create a domain group, put all users in them, and connect
the domain group, to all local Administrators groups, but this will
give all the users administrator rights on all pc's simultaneously
(like admin shares).

Also, I could put the user John in the local Adminsitrators group of
his pc, and Peter in his etc. etc. But I have roaming users.

So can anyone please help me.
Thank you.
Stefan
(e-mail address removed)

 

[Paul Bergson]

The only way I know that you could do this was to write two scripts one at
logon and one at logoff. This would add or remove the users account from
the local group.

Check this site I think it is what you are looking for.
http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html

 

[Guest]

Why does the security token need to be removed after logoff? Is there a
security risk?

Thanks,
Christopher Ransom, MCSE 2000/2003, MCSA 2000/2003, CCNA
Microsoft Enterprise Platforms Support
Windows NT/Windows 2000 Directory Services

 

[Joe Richards [MVP]]

Actually I don't think that process would work because by the time the logon
script is run, the user already has their token.

A possible solution if it fits the security needs is to add the security
principal INTERACTIVE to the administrators groups. This would make it so anyone
that logs on interactively would have admin rights.

joe