New domain users - what local groups

  • Thread starter Thread starter SA
  • Start date Start date
S

SA

Hi all,
If nothing is defined for a particular domain user, in what local group will
the domain user be put in by default?

Also we have a particular requirement where the domain user need to be local
administrators of their machine. I was wondering what the most efficient
way to do this other than simply adding the domain users by hand.

thanks,
SA.
 
SA,

Please do not misunderstand me but I would suggest that you create a user
account and then look at the "member of" tab. That would answer that
question.

I always cringe when I here that the normal domain user accounts need to be
a member of the computers local Administrators group. There does not have
to be a problem with this if the users know that there are things that they
should not do and then do not do them. This, however, is very often not the
case. There is usually one, possibly two, who takes advantage and finds
himself / herself in a situation where they messed up something ( like
deleting all of the files in the FONTS folder to make room for his music
files on the local HDD ).

However, if you must do this ( meaning, if Power Users is not going to
work ) then I would suggest that you take a look at the Restricted Groups
GPO. Here are a couple of links:

http://support.microsoft.com/?id=320065

Additional information

http://support.microsoft.com/?id=228496
http://support.microsoft.com/?id=279301
http://support.microsoft.com/?id=320045


I would guess that there is some software that your company users that
requires this. I would go so far as to say that this is either older
software ( when WIN98 was the king! ) or that the programmers are not
cognitive of the problems that this type of requirement causes.

HTH,

Cary
 
Cary,
Thanks for the reply. The problem with the member of tab is that it does
not give me access to the local SAM i.e. the local administrator account.

And the problem with the restricted groups is that I want that domain user
to be the local administrator of his own machine not a whole domain group
of users. I was actually impying some sort of script that uses variables
and such.

If I understand you correctly, the domain users are put in the power users
group by default, right?? Believe me I would love to do this but we have
cranky users who want nothing but administrator access and I am overruled by
higher ups.

Thanks again,
SA.
 
SA,

That is true. The member of tab is going to give you the Domain group
membership, not the local computer group membership. You might try some of
the basic dos-style scripts for this.

Working in an environment like this can be very frustrating. There can be
( and this is the key phrase ) a whole lot of issues when the domain users
accounts are members of the computer's local Administrators group. And if
Management is not in agreement with you then you need to decide if you want
to fight this battle ( because there can be a whole lotta battles to
fight! ) and deal with the possible consequences or not.

HTH,

Cary
 
Back
Top