Active Directory & local permissions in XP.

[Terry]

I have a Windows 2003 server with Active Directory installed on it. I'm setting up a number of Windows XP Pro clients that will join the domain. When I join the
domain with an XP client, I loose the ability to add and delete items from my start menu on the XP box. For instance, if I try to delete something out of the
startup group, I get access denied.

How can I be a normal domain user but also be admin of my local computer?

TIA

 

[Andrei Ungureanu]

you must add that domain user to the local Administrators group. to do that
go to Control Panel - User Accounts (if I remember well)

 

[Terry]

No such capability exists in that control panel applet.

However, I was able to solve the problem through this long drawn-out process:

· Logon as the domain user to the computer in question.
· Click on Start, Run, and type in "runas /user:administrator mmc.exe".
· When prompted, enter the password for the local admin.
· In MMC, load the Computer Management snapin.
· Add "<domain>\Domain Users" to the local administrators group. <domain> Being your domain.
· When prompted for a domain logon, enter the domain administrator's user ID and password.
· Reboot.

What a frick'n major pain!

Is there any way to push this out from the domain controller by a policy or something? I know I could probably do it with a run-once script pushed out by
policy, but there should be something more elegant than that.

 

[Ryan Hanisco]

Terry,

You can do this either by adding domain users to the local administrators
group or by using Restricted Groups in a GPO to assign these rights.

Remember though, that security is there for a reason and there are TONS of
reasons not to want your normal users as Local Admins. You might try Power
Users first before going all the way to Local Admins.

As to the steps you are going through to set that manually, remember that
any member of the Domain Admins group is a member of the Local Admins group
on any member machines (unless you manually remove that). You can change
the users' group memberships through the Computer Management applet, right
clicking on My Computer | manage, or by command line.

 

[Terry]

Terry,

You can do this either by adding domain users to the local administrators
group or by using Restricted Groups in a GPO to assign these rights.

I'm not familiar with Restricted Groups. But the name seems to imply the taking away of privileges, not adding. Can you provide a link to more information?

I recently purchased a big honk'n book on Server 2003 (I believe it's three inches thick, so it must be good) and I looked up Restricted Groups in it, but of
course it was only mentioned in passing. However, the chapter I read did talk about Security Templates and deploying them with GPO's. Do you think this would
also be a valid approach?

Remember though, that security is there for a reason and there are TONS of
reasons not to want your normal users as Local Admins. You might try Power
Users first before going all the way to Local Admins.

I'm more concerned with functionality than security on the local computer. Once everything is automated, I can rebuild a workstation in less than 30 minutes.

As to the steps you are going through to set that manually, remember that
any member of the Domain Admins group is a member of the Local Admins group
on any member machines (unless you manually remove that). You can change
the users' group memberships through the Computer Management applet, right
clicking on My Computer | manage, or by command line.

Thanks for the info.