Help...How to make grant users workstation privileages upon login.....

[Kiosk]

Hi,
I need to be able to provide end users with admin privileages of the
workstation upon their login. I dont want to use a domain group into
the wotrkstation local group because this will make everyone in such
group an admin on every single PC, the end users roam between desktops
so I cant create ID to local group memberships.
Is there a way to run a script when a user logs on to grant that user
admin rights just-in-time? and then remove it when the users logs out?

Thanks for help.....

 

[Torgeir Bakken \(MVP\)]

I need to be able to provide end users with admin privileages of the
workstation upon their login. I dont want to use a domain group into
the wotrkstation local group because this will make everyone in such
group an admin on every single PC, the end users roam between desktops
so I cant create ID to local group memberships.
Is there a way to run a script when a user logs on to grant that user
admin rights just-in-time? and then remove it when the users logs out?

Thanks for help.....

Hi

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users ",
"Domain Users", "NT AUTHORITY\Authenticated Users" or any other
global security group because you avoid the issue with cross
network admin rights (remote access) that these groups introduces.

 

[Kiosk]

Wow, thanks a lot for the very quick response. I like this option
looks very clean but I wasnt very clear on my original note.
The Interactive users option will basically allow anyone to logon
to that computer with admin rights, but I can only allow a certain
group ( a group that roams the computers) with admins rights
and not everyone else....Is there a way to be more granular and only
allow a specific group or ID to gain interactive??
Thanks again,

 

[Torgeir Bakken \(MVP\)]

Wow, thanks a lot for the very quick response. I like this option
looks very clean but I wasnt very clear on my original note.
The Interactive users option will basically allow anyone to logon
to that computer with admin rights, but I can only allow a certain
group ( a group that roams the computers) with admins rights
and not everyone else....Is there a way to be more granular and only
allow a specific group or ID to gain interactive??

Hi

No, that is not possible for "NT Authority\Interactive".

As I see it, you have two options:

1) Create a global group and put it in all the local computers
Administrator groups, and then add those special users into that
global group. This way you can at least in an easy and central
way control who have this "admin on all computers" role.

2) Add each user account into all the relevant local computers
Administrator groups. Downside: Very laboursome to implement,
and messy to maintain.