Power Users in domain

[Arsen]

How can i create a group in win2k domain that will give members of this
group administrative privelages to add and remove programs and all that
comes with local admins, without giving them admin right to the domain?

 

[Chriss3]

The best way may is to make them members of local admin?

Machine Script Solution:

By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that "Restrict
Groups" option from Windows 2000/2003 GPO create.


The script structure:


Script Name: Machine_Startup_Script.vbs (You can use any name that you
like,
But you need to verify that the file
name suffix end with
*.vbs).

Operation Interval: Each machine startup or/and shutdown.


'Beginning Of the Script

On Error Resume Next

'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain.loc/Power Users OR
Administrators,group" )

'End of the Script


mywindowsdomain.loc = The name of the Domain that the user workstation
log into.

Sentence that begin with " ' " use for a comment only.

After creating the script, we need add this script to Domain Default GPO -
as
Computer startup or/and shutdown script and we done.
--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[David Brandt [MSFT]]

I'm not sure I'm completely clear on exactly what your desired end result
is, but since power users is not recognized by dc's, I'm assuming that this
is for some people to be able to install things on your servers/clients.
Depending on how may boxes you have, and how many people are to be involved
to have this authority (be it only certain people or the user themselves
etc), they can be added to the Administrators group on these machine
individually or via a start up script etc to use the "net localgroup /add"
cmd.
A group can also be created at the domain level and then Delegation used on
whatever OU container those machines are in (outside the default "computers"
container) to "grant" that group whatever privileges you'd like for them to
have. Just right click on the OU, choose delegate control, and follow the
wizard.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Arsen]

Gentelmen, thank you for your help... but the bottom line of this is that i
can add these users to the local admin group, however, they get removed from
the local admin group as soon as they log in, I was told that the policy of
"restricted group" is the reason of this action. However, in the
restriction group policy, i have the built in Global Administrator with
domain admin as a member. that is all...

Will the script provided below work in my envoirnemt, or do i need to change
something?

--------------------------------------------------------
Script Name: Machine_Startup_Script.vbs (You can use any name that you
like,
But you need to verify that the file
name suffix end with
*.vbs).

Operation Interval: Each machine startup or/and shutdown.


'Beginning Of the Script

On Error Resume Next

'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain.loc/Power Users OR
Administrators,group" )

'End of the Script


mywindowsdomain.loc = The name of the Domain that the user workstation
log into.

Sentence that begin with " ' " use for a comment only.

After creating the script, we need add this script to Domain Default GPO -
as
Computer startup or/and shutdown script and we done.