Full control of Workstation

[User]

Hi

When running ADS with roaming profiles is there anyway to
allow users full control of their workstations without
given them administration rights? So they can install
software etc?

I have certain Users who need to have full control of
their local PC, but not the whole network. If i give
them admin rights this gives them access to shares that
we would prefer them not to be able to access.

I know another way to solve the problem is to create a
different admin group but i would prefer a simplier
solutions.

Hope this makes sence.
Thanks.

 

[Danny Sanders]

Adding the users domain account to the local admin group on their PC will
allow this user account Administrator privileges to only this PC when
logging onto the domain.

hth
DDS W 2k MVP MCSE

 

[Ace Fekay [MVP]]

Log on as the domain admin onto the client, goto local users and groups, add
that sepecific user to the local administrators group or the power users
group (your preference) and then log out and let them log in. Now they can
install s/w, change the time, etc...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Hi

Thanks for the reply. Is there any way to do this from
ads because the users frequently use different pc's?

Even though they are logging onto a domain i can't
understand why users are automatically restricted to what
they can do. Surely there must be some way to reverse
this? I have looked through gpo settings, but am non the
wiser.

Hope someone can help.

Thanks.

 

[Danny Sanders]

Is there any way to do this from

ads because the users frequently use different pc's?

As far as I know you have to do this at each computer they log on that you
want them to be administrator of.

Even though they are logging onto a domain i can't
understand why users are automatically restricted to what
they can do.

In *most* cases the Admin does NOT want users to be Admin on their computer.
The Admin of the computer can totally screw up their computer if they don't
know what they are doing.
Running *any* computer under the admin account that connects to the internet
is a security hole.
Restricting users when that join the domain is one of the main reasons for
setting up a domain. Unknowing or worse yet disgruntled or fired users that
have the admin account for their computer can remove the computer form the
domain, change the passwords and leave. Then you are stuck reinstalling or
figuring out how to reset the password.

Personally I would prefer my users locked down then grant them access to
what they need rather than have their access wide open and try to lock them
down. You might forget something.

Besides it is *always* easier (from the "Big brother" standpoint) to *give*
your users something rather than take it away.

hth
DDS W 2k MVP MCSE

 

[Richard Moreno]

You can use RESTRICTED GROUPS in your GPO for this too.

228496 HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/?id=228496

320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
2000
http://support.microsoft.com/?id=320045

 

[Guest]

Thanks for your help guys. I understand what you are
saying and i agree i would prefer them to be locked down
but some senior members of the company think they should
have full access to pcs', but i don't want to give them
admin rights through the domain because this will
obviously give them access to everything.

I'll have alook at the restricted groups link below.

You guys have been really helpfull

Thanks again.

 

[aaron]

Even though these users frequently use different computers, are these mainly
the same group of computers all the time? If so you can put these computers
is a seperate OU. Assign a startup script to these group of machines that
will add the domain accounts to the local administrators group. You can put
the users that need admin rights into a group then add the group to the
local admins group.

net localgroup administrators "domain\usersthatneedAdminRights" /ADD

hth,
aaron