How can I allow Domain User Accounts Admin rights on their local m

[Guest]

I am in the process of transitioning a small office network from a workgroup
to a domain. Most of the clients are XP Pro. The server is 2000 Server. I
have a test machine that I am working with now. It was originally set up on a
workgroup, and the user account is local. I joined my domain, and there is
now a new user account, similar name. When I try to install software, or some
other things, I do not have access now through this account to install
anything locally. How can I have a domain account set up and still allow that
user admin privlidges locally? Thanks

 

[Shenan Stanley]

I am in the process of transitioning a small office network from a
workgroup to a domain. Most of the clients are XP Pro. The server is
2000 Server. I have a test machine that I am working with now. It was
originally set up on a workgroup, and the user account is local. I
joined my domain, and there is now a new user account, similar name.
When I try to install software, or some other things, I do not have
access now through this account to install anything locally. How can
I have a domain account set up and still allow that user admin
privlidges locally? Thanks

Not recommended, but..

Just add their domain account to the local administrators account.

 

[Guest]

Thanks, you say not recommended, why? Will this be a security threat to the
server?

 

[Colin Nash [MVP]]

Thanks, you say not recommended, why? Will this be a security threat to
the
server?

Ideally, users should not be administrators of workstations. Some times
this is necessary due to what the do, or due to office politics, but
generally it is best to limit them to the least privileges that they
actually need. If *your* account is a member of Domain Admins, then you
should already have admin rights when you log on. If there are other people
who will providing tech support but who don't need to manage the domain
itself, it would be a good idea to create a group on the domain called "IT
Staff" or something, and make this group a member of each workstation's
Administrators group. Put yourself and any other technicians/admins in that
group.

 

[Shenan Stanley]

Thanks, you say not recommended, why? Will this be a security threat
to the server?

Making users administrators on their computers is never a good idea. It
usually increases the workload of the computer administrator ten-fold.
Unless all of your users could, without a computer administrator, completely
setup and magae their systems without fear of
virus/trojan/worms/spyware/adware or erasing the wrong file, moving the
wrong thing - then giving them administrative rights will likely lead to
issues.

Most users do not NEED administrative rights.

Does it open a "security threat" to the server for them to be a local admin?
Depends on how you look at it. You give me rights to install software and
yes - I could be a threat to your server - for which I already know one
username/password (mine) for. Now I can install all sorts of neat tools and
things. I can disable my AV software an copy infected files to the shares.
If you made groups of users admins - I am admins on all other machines too..
I can disable their AV software, infect them and pretty much do what I want.

Saying that your users won't have the tech knowledge to do this? Then
first - why do they need admin rights in that casee? And second - What if
they do it on accident or get infected by something (a worm) to do just all
that?

The command line to add someone to the different groups:

net localgroup "local groupname" "domain\username" /ADD

 

[Guest]

Thanks for all of the replies. This is the info I really needed. Greatly
appreciated.