Membership of user in Active Directory

[Alvyn]

Hi,

I am asking this question in this forum partly it is
active directory related and security related. Hope I am
in the correct forum. Otherwise pls advise.

I installed Norton Antivirus on my local workstation, I
can only do so when I log in as administrator. Well fine.

After installation, I login to the DOMAIN with my own
username.
While trying to run live update (Norton Antivirus) on this
workstation, I was unable to do so due to I was
assigned "domain user" in active directory.

But when I was assigned "Domain Admin" or any other
administrators rights in the active directory, I was able
to perform liveupdate sucessfully.
Also, if I login as Administrator locally, I am able to do
so as well.

My question is wouldn't it be cumbersome for someone to
login as administrator locally to perform liveupdate then
login back to his/her own profile ?

Also, doesn't it defeats the purpose of security whereby
one needs to be assigned "administrator" rights or login
locally as administrator to just perform a liveupdate ?

BTW, I did try to add myself (domain user) in the security
properties and set to full control and propagate
throughout the entire drive C:, but still it does not help.

Also, I am unable to add myself(domain user) as a member
of the local computer administrator.

Can anyone please advise on this as I have been searching
the answer for months on this until I finally post this
here.

Thanks very much..

 

[Jack Hawkins]

This has nothing to do with Active Directory. Your problem relates to the
Norton Antivirus software.

Can you not schedule Live-Updates while logged on as Administrator?

 

[Guest]

Hi sir,

I did not schedule any liveupdate, rather I did manual
liveupdate be it login as administrator or user.

I just want to know whether is there anyway where I can
assigned admininstrator rights of the local machine to a
domain user in the active directory.

FYI, I got the domain name "grey out" in the "Look in"
dialogue box while trying to assign membership to the user.

Thanks

 

[Joe Richards [MVP]]

Sure you can...

On the workstation in question you can do

net localgroup administrators yourdomain\youruser /add

You can also use a freeware tool from www.joeware.net called lg to do it....

lg \\machinename\administrators yourdomain\youruser /add


Finally you could do it through group policies in the domain but that could get
a little involved depending on exactly who you want added to the administrators
group. It generally isn't good to try and do one off administration of
workstations through AD, it is for doing administration of large groups of machines.

joe

 

[Jack Hawkins]

Log in as local administrator,

From command prompt, type

NET LOCALGROUP ADMINISTRATORS /ADD "NT AUTHORITY\INTERACTIVE"

This way whoever logs on at the computer will have local admin rights..

 

[Alvyn]

Hi Mr Joe Richards

Thanks very much for the info.

Just curious, you mean within AD itself we cannot assign
local machine admin rights to domain users ?

Regards

 

[Alvyn]

Hi Mr Jack Hawkins

Thank you very much for the info.

Just curious, does it mean that it can only be done via
CLI ? and not AD itself ?

Regards

 

[Jack Hawkins]

No, you can do this via restriced groups in group policy, alternatively you
could add the user to the Administrators group in the Builtin container in
Users & Computers snapin.

by default the Domain Admins group will be in the Local Administrators group
of a computer which is a member of the domain.

By giving users administrator rights to their computers, you will end up
causing more headaches for yourself when they start installing their own
software and changing system settings.

You'd be better off configuring Norton Antivirus to schedule live updates
every day.

 

[Alvyn]

Hi Mr Jack Hawkins,

Once again, Thanks you. I will try on those advise you
have given me.

 

[Joe Richards [MVP]]

No not saying that, just saying if you want to assign the permissions to
specific people on specific machines, AD isn't the efficient way to handle that.
If you don't mind assigning everyone that logs onto the machine as admin then
you can do what the other poster indicated with interactive logon security
principal.

joe

 

[Alvyn]

Hi Mr Joe Richards

Got you. Thanks

-----Original Message-----
No not saying that, just saying if you want to assign the permissions to
specific people on specific machines, AD isn't the efficient way to handle that.
If you don't mind assigning everyone that logs onto the machine as admin then
you can do what the other poster indicated with interactive logon security
principal.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



.