Give Domain Users Local Admin Rights

[Mike]

hey there,

Im trying to set up my PC's so that when a domain user
logs into the PC that they are given local administrator
rights.

I screwed up though.

I added DOMAIN USERS to the local administrators group on
each PC. This seemed to work, but with 1 issue. Now each
user has full rights to EVERY local machine in the
Domain, via the "hidden" admin share "C$". (not good).

How can I grant Local Admin rights to just the PC they
are logged on to without giving them Local Admin rights
to other user's PC's?

I think i need to set up a group policy, but I've never
used any Group Policies before, so any detailed help, or
pointing in the right direction would be greatly
appreciated.

Thanks

MG

 

[Bruce Chambers]

Greetings --

By adding a global group (Domain Users) to the local group, you've
made every authenticated member of that group to the local
Administrator group. To accomplish your goal, you would have to add
each individual user's domain account to the local admininistrator
group on the PC he/she uses.

May I ask why you want to do this? Are you trying to increase
your support staff's workload exponentially? It requires an awful lot
of support time and personnel to clean up behind unknowledgeable users
with too many privileges.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Mike]

Trust me,

I am not trying to increase my staff's workload. I am the
staff ;-) (150 PC's and Users)

I know that I could add the indivdual domain user to the
local admin group on their primary PC, but what I am
trying to get away from, is that if a user switches to a
different PC and logs in, they do not have local admin
access. (this happens more often than I like)

Many of our programs require that the user be a local
admin.

I do not want to have to run to a machine every time a
new user logs into a different machine and add them to
the local administrators group. This is more work than
having to clean up after my users. That's just part of
the job ;-)

 

[PS]

Greetings --

By adding a global group (Domain Users) to the local group, you've
made every authenticated member of that group to the local
Administrator group. To accomplish your goal, you would have to add
each individual user's domain account to the local admininistrator
group on the PC he/she uses.

May I ask why you want to do this? Are you trying to increase
your support staff's workload exponentially? It requires an awful lot
of support time and personnel to clean up behind unknowledgeable users
with too many privileges.


Bruce Chambers

Bruce-

We let thousands of users have full local admin priveleges, and it saves us
alot of time actually. Who do your users call when they want to install a
screen saver or misc. program that they downloaded which required local
admin rights to install? Re-imaging only takes 5 minutes if/when they hose
thier own system, which happens less than you know.

Good Luck!
PS

 

[Marcio Ferreira]

Mike,
I also had problems with programs requiring administration provileges...
but including them in the "Power Users" groups rather than Admin's solved
most of them (eg. Autocad).

Marcio

 

[Bruce Chambers]

Greetings --

Doesn't matter who they call if they want to install such things.
We simply hand them a newspaper classified ads section and suggest
they seek an employer who doesn't expect the company-owned computers
to be used only for company business. No one is allowed to install,
much less download, anything that hasn't been thoroughly tested and
approved.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Esta Vida Nueva]

Trust me,

I am not trying to increase my staff's workload. I am the
staff ;-) (150 PC's and Users)

I know that I could add the indivdual domain user to the
local admin group on their primary PC, but what I am
trying to get away from, is that if a user switches to a
different PC and logs in, they do not have local admin
access. (this happens more often than I like)

Many of our programs require that the user be a local
admin.

I do not want to have to run to a machine every time a
new user logs into a different machine and add them to
the local administrators group. This is more work than
having to clean up after my users. That's just part of
the job ;-)

To be honest with you, even with my experience I dont use Administrator
privilages, I log on as Administrator when I need to and SUID (using "Run
this program as...") if I am trying to install a program whilst logged in
as myself.

I find little problems whilst using "Power User" privilages and have been
using my systems as a "power user" for about 2 years now. I can only
suggest this is what you do, as for specific programs, lets say your
program needs to write to its own directory, give LOCAL\Power Users write
and modify privilages to the programs folder is you still have problems.
This is much better than creating a highly insecure environment where
everyone is the administrator, it's like having a safe with thousands of
pounds in it, and hanging the key up right next to it...

 

[Esta Vida Nueva]

Bruce-

We let thousands of users have full local admin priveleges, and it saves us
alot of time actually. Who do your users call when they want to install a
screen saver or misc. program that they downloaded which required local
admin rights to install? Re-imaging only takes 5 minutes if/when they hose
thier own system, which happens less than you know.

In that situation, I would use something like Dameware to remotely operate
the persons computer, go "Run this program as..." and slap the
administrator password in there.

What I am interested to know, is why you allow your users to clutter their
hard disk and degrade system performance by installing silly screen savers
and other sundry software, especially without permission and supervision
from an admin... particuarly when Windows includes perfectly adequate
screen savers anyway.

 

[Steven L Umbach]

You could put all the computers that should NOT be accessing each other ever in an OU
and then create an OU with a GPO configured with the user right for "access this
computer from the network" to include the domain admins and other authorized groups,
if any, but not everyone, users, or administrators. Of course you would not want that
user right configured on domain controllers, servers, or other computers offering
shares to users which should not have domain users in the local administrators group
anyhow.

Also in XP Pro you can implement Software Restriction Policies [which can be managed
in a W2K domain via Group Policy] that can prevent users including local
administrators via Enforcement Rule from installing or using unauthorized software
via certificate, hash, or path rules. --- Steve

http://support.microsoft.com/?kbid=310791

 

[Guest]

Hi Mike

R u having problems with the users or the software that they are using??

If it is the software why not try the Compatws.inf template that relaxes access controls for the Users group and is therefore wellsuited for Windows 2000 clients that need compatibility with older application

Hope this help

Da

----- Mike wrote: ----

hey there

Im trying to set up my PC's so that when a domain user
logs into the PC that they are given local administrator
rights.

I screwed up though.

I added DOMAIN USERS to the local administrators group on
each PC. This seemed to work, but with 1 issue. Now each
user has full rights to EVERY local machine in the
Domain, via the "hidden" admin share "C$". (not good)

How can I grant Local Admin rights to just the PC they
are logged on to without giving them Local Admin rights
to other user's PC's

I think i need to set up a group policy, but I've never
used any Group Policies before, so any detailed help, or
pointing in the right direction would be greatly
appreciated.

Thank

M

 

[cquirke (MVP Win9x)]

What I am interested to know, is why you allow your users to clutter their
hard disk and degrade system performance by installing silly screen savers
and other sundry software, especially without permission and supervision
from an admin... particuarly when Windows includes perfectly adequate
screen savers anyway.

Prolly a culture thing. Not every work environment treats users as
scum, and not all users resent their locked-down PCs to the point they
don't care if they let malware loose on them.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Torgeir Bakken \(MVP\)]

I added DOMAIN USERS to the local administrators group on
each PC. This seemed to work, but with 1 issue. Now each
user has full rights to EVERY local machine in the
Domain, via the "hidden" admin share "C$". (not good).

How can I grant Local Admin rights to just the PC they
are logged on to without giving them Local Admin rights
to other user's PC's?

Hi

There exists a very simple solution for this:

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces (as you have experienced).

 

[Mike]

-----Original Message-----

Hi

There exists a very simple solution for this:

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces (as you have experienced).


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/d efault.mspx
.
Thanks Torgeir,

That's excactly the kind of fix i was looking for.

Mike

 

[Esta Vida Nueva]

Prolly a culture thing. Not every work environment treats users as
scum, and not all users resent their locked-down PCs to the point they
don't care if they let malware loose on them.

Maybe I'm too strict, but surely for their users protection, some security
should be enforced and I can't see reasonable justification to make
everyone administrator - imagine if a fiddler got a job there.