Hi All

I had a problem whereby the teachers couldn't use their home internet on
their 'domain-linked' laptops because of the limited access that they get.

Didn't want to make them part of the domain admins groups so somebody
suggested that I add the domain users group (which they are part of) to the
laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
Admins.

Is this OK to do?

They seem to be able to get to the TCP/IP bit now, but what other 'doors'
have I opened to the blessed teachers by doing this?

Can they install/uninstall software now???

Thanks

Laphan

Show quote Hide quote They will be able to install/modify/uninstall anything on their
PCs and they have full access to all files and folders. They
have no general access to server-based files but you should
test this to be on the safe side.

With XP there is almost no other way to allow users to use their computer
for normal use. With Vista this will change somewhat with UAC as programs
are updated to be Vista compatible.

Show quoteHide quote

Howdie!

Laphan schrieb:
Don't make them admins. That's way too much. If those laptops are on
Windows XP, you can use the "Network Operators" group to let them change
IP and network configuration.

cheers,

Florian

Hi

Tried that and it wouldn't work.

As soon as they got the network components list, ie Client for Networks,
TCP/IP, etc, they couldn't click into the TCP/IP entry to go and edit it.

Although I'm saying that I made them network operators via Active Directory
control panel on the server!

Should I have made the teachers network operators on the Local Admin setup
of the laptop?

Thanks

Laphan

Laphan schrieb:
Don't make them admins. That's way too much. If those laptops are on
Windows XP, you can use the "Network Operators" group to let them change
IP and network configuration.

cheers,

Florian

Howdie!

Laphan schrieb:
Of course you need to make those changes on the client computers. Have a
look at "Restricted Groups":

http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
http://www.frickelsoft.net/blog/?p=13

cheers,

Florian

Show quote Hide quote Assuming you are using cached credentials.

It is recommended to create a new security group in AD and add that group to
the local groups (using 'Restricted Groups'), rather then adding the user
account directly to the local groups.
Then use ADU&C to controll the members of the new AD group, by adding or
deleting users to this group.
once the AD group is added to the specific local group, Users just have to
logof and logon at office, after you added them to the group in AD.

Go through this thread about 'Restricted groups'
http://www.petri.co.il/forums/showthread.php?t=12489

Alternatively you can controll the members of local groups by script:
http://windows.stanford.edu/Public/Infrastructure/localgroup.html#Scripts
In this case you add the new AD security goup to the local groups by
computer startup script, instead of using the 'Restricted Groups'-computer
configuration policy. 

If the users do not use cached credentials, then use the local account the
users use to logon at home (or use a startupup script to add a new local user
account to the computers). Then add that account to the group, you can do
that also by using Restricted Groups.


\Rems

Show quote Hide quote And don't add a generic AD group like "Domain Users" to *any* group with
privileges on a workstation. This is why "\RemS" recommended you create a
new AD group for the purpose - so that it can be managed.

/Al

Show quoteHide quote

Userlist with batch file name configured
nEED HELP WITH LOGIN SCRIPT
Consolidate event logs?
Delete Files Based On Date
msrdp in vbs