|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Best way to give local admin rights only across the domainWhat is the best way to give a user admin rights on any workstation
they will login to but not admin rights on the domain? I am thinking about putting them in group administrators, but I am afraid that will give them admin rights on the domain. Thank you In news:a0b5eaf9-f0c2-40d6-a225-c3792a13c878@c11g2000yqj.googlegroups.com, compu <Compustud***@gmail.com>, posted the following:> What is the best way to give a user admin rights on any workstation Restricted Groups is your best option.> they will login to but not admin rights on the domain? > > I am thinking about putting them in group administrators, but I am > afraid that will give them admin rights on the domain. > > > > Thank you Restricted Groups (You'll need to do this from an XP machine) Going on memory... forgive me if I missed a step... In D, create an OU and call it Restricted Groups (or whatever you want to call it) In AD, create a group and call it Local Power Users Group Create another and call it Local Admin Users Group Logon as domain admin on an XP machine Install the GPMC on an XP machine Open the GPMC and navigate to the OU you created above Create and link a new GPO to the OU Right-click on it and choose Edit Navigate to the Computer section, and Restricted Groups Choose new group, browse to the domains' Local Power Users Group and add it to the local XP machine's groups, and choose Power Users Choose new group, browse to the ldomain's Local Admin Users Group and add it to the local XP machine's groups and choose Administrators Move the computer to the OU Add the user to the Local Power Users Group in AD that you created above On the machine where the user is logged on, have him logoff and logon May have to have him do it twice In the XP's computer Management console, look at the Local Power Users and Administrators Groups and see if the Domain\Local Power Users Group is added to the machine's local Power Users group and the Local Admin Users Group is added to the machine';s local Administrators group. If so, they will show up as grayed out, meaning the policy is working. If you added the user to the domain's Local Power Users Group, then the user should now be able to perform actions of a Power User. Using Restricted Groups http://www.windowsecurity.com/articles/Using-Restricted-Groups.html -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Hello compu,
Restricted groups are made for that: http://www.frickelsoft.net/blog/?p=13 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > What is the best way to give a user admin rights on any workstation > they will login to but not admin rights on the domain? > > I am thinking about putting them in group administrators, but I am > afraid that will give them admin rights on the domain. > > Thank you > Adding "NT Authority\Interactive" to local admin group on a machine gives
admin rights only on that machine - not on entire domain machines. Show quoteHide quote "compu" <Compustud***@gmail.com> wrote in message news:a0b5eaf9-f0c2-40d6-a225-c3792a13c878@c11g2000yqj.googlegroups.com... > What is the best way to give a user admin rights on any workstation > they will login to but not admin rights on the domain? > > I am thinking about putting them in group administrators, but I am > afraid that will give them admin rights on the domain. > > > > Thank you You can take advantage of the Local Users and Groups settings of Group
Policy Preferences, which gives you an option to add the current user to an arbitrary local group (including local Administrators). For more info, refer to http://technet.microsoft.com/en-us/library/cc731972.aspx hth Marcin Show quoteHide quote "compu" <Compustud***@gmail.com> wrote in message news:a0b5eaf9-f0c2-40d6-a225-c3792a13c878@c11g2000yqj.googlegroups.com... > What is the best way to give a user admin rights on any workstation > they will login to but not admin rights on the domain? > > I am thinking about putting them in group administrators, but I am > afraid that will give them admin rights on the domain. > > > > Thank you  
Thread options
Other interesting topics
Domain functional level
changing domain name Is this the last step we need to do? Do Child DC's need unrestricted IP access to Root DC's? After 2000 to 2003 upgrade sysvol is not accessable Manually removing cert server from AD Validation for 2000 to 2003 upgrade DNS during Domain Controller demotion DC's not Replicating Delegate ad workstations to domain |
|||||||||||||||||||||||
