Admin on computer but not network.

[Scott Burke]

I want each user to be an administrator on there own computer but not on the
network. the reason is that they need to beable to installl software and
change computer setting anyway they want/need. This is a magament
requirment. They are NOT administrators on the server.

can that be done?
What unknow problems will it cause?
if yes, What about VISTA?

Thank You
Scott Burke

 

[Shenan Stanley]

I want each user to be an administrator on there own computer but
not on the network. the reason is that they need to beable to
installl software and change computer setting anyway they
want/need. This is a magament requirment. They are NOT
administrators on the server.

can that be done?
Yes.

What unknow problems will it cause?

Unknown problems? No one knows - thus why they are unknown.

Known issues - they will likely infest/infect their own machines and not be
able to clean them; they will be more vulnerable to all sorts of attacks; it
is a security risk for your overall network; etc...

if yes, What about VISTA?

What about it?

Thank You
Scott Burke

NP.

 

[Scott Burke]

Shanen Stanley,
As everyone in the news groups know, an unknown issues for me could easily
be common knowledge for someone else. That is one of the major POINTS for
the news groups! If that is too difficult for you to grasp then please
follow this link:
http://www.catb.org/~esr/faqs/bit_me.html


The reason I kept the question vague is so no one will put themselves in a
box while trying to answer it. If you want an example of what I am trying to
do then ask for an example, I would be happy to give you one.

Example: Our in house custom software, written by someone who does not work
here anymore, has a problem with the monitor being turned off. It has no
problem with screen savers but when windows turns off the monitor there is a
50/50 chance that the program will crash. It is just a pain for me to stop
what I am doing to run upstairs, have the user save their work, kick them off
their computer, login as me, then changed the power setting in windows, log
off and have them(user) log back in.

In this case it would be nice to instruct them on how to change the power
settings over the phone. They can't do that right now because of their
security settings!

My sugestion on making them Administrators is simple, I don't know of any
other solution!

I would be happy to hear what other people have done and what kind of
success they have had. or not...


Scott Burke

 

[Kelvin]

Here is what I do to give users local right on their computer.

I create an Active Drirectory group for example called LocalAdmins and
LocalPowerUsers
I add these groups to the local groups "Administrators" and "PowerUsers"
respectivly.
This way I can control who has these rights from the netowrk and not have to
make changes on the local computer.

Hope this helps

Kelvin

 

[Shenan Stanley]

Shanen Stanley,
As everyone in the news groups know, an unknown issues for me could
easily be common knowledge for someone else. That is one of the
major POINTS for the news groups! If that is too difficult for you
to grasp then please follow this link:
http://www.catb.org/~esr/faqs/bit_me.html

First off - no need to be an ass.

You mis-quoted my signature like it was meant just for you. It wasn't - it
has been my signature for years. As for "everyone in the newsgroups know"
<- what? Everyone in these newsgroups know you by name? If that's so -
then surely you knew that was my standard signature (being suchg a regular
that everone knows...) - because I have been posting in these newsgroups for
years - very frequently.

I do not know you, your name is not familar to me. I made no judgement on
your knowledge level beyond the fact that you seem to have been appointed a
system administrator possibly before you were ready.

These newsgroups were meant to get assistance with problems - not general
"how do I administer my company network" training guides. ;-)

The reason I kept the question vague is so no one will put
themselves in a box while trying to answer it. If you want an
example of what I am trying to do then ask for an example, I would
be happy to give you one.

Why should I *ask* for an example? You are the one with the issue - I am
voluntarily giving of my time and expertise to assist. Dragging the true
need out of you is not something that anyone here is required to do - nor
should you expect it.

Example: Our in house custom software, written by someone who does
not work here anymore, has a problem with the monitor being turned
off. It has no problem with screen savers but when windows turns
off the monitor there is a 50/50 chance that the program will
crash. It is just a pain for me to stop what I am doing to run
upstairs, have the user save their work, kick them off their
computer, login as me, then changed the power setting in windows,
log off and have them(user) log back in.

So - set your domain group policy so that their power settings do not turn
off the monitor or so that users can control their own screensaver/power
settings without administrative rights or use Remote Desktop or better yet -
offer Remote Assistance and see what they see and help them remotely without
ever leaving your desk or getting off the phone with them.

In this case it would be nice to instruct them on how to change the
power settings over the phone. They can't do that right now
because of their security settings!

See above.

My sugestion on making them Administrators is simple, I don't know
of any other solution!

Group Policies would be a start. Remote Assistance would be a plus as well.

Unless they are developers, they shouldn't need administrative rights - and
even then, I believe the better solution (given they do not need direct
access to certain hardware) would be virtualization - where they run/test
their software in a virtual environment. (VirtualBox is a freeware
virtualization product.) This gives them more flexibility and such - and
protects your environment.

I would be happy to hear what other people have done and what kind
of success they have had. or not...

The majority of people with the most success will be those who locked down
their systems and then used the tools like Group Policy, Remote Assistance,
Scripting, etc to manage the systems remotely and not allow the users to
'run free'. Usually - regular users with free reign are worst than the
running back and forth you might have to do - which can be greatly minimized
with the tools available to manage Windows systems.

Unknown problems? No one knows - thus why they are unknown.

Known issues - they will likely infest/infect their own machines
and not be able to clean them; they will be more vulnerable to all
sorts of attacks; it is a security risk for your overall network;
etc...


What about it?


NP.

It's simple - manage it like every other business does with a group of
Windows computers. In a domain. You can change the settings with domain
policies, you can remotely control the computers completely even offer
remote assistance (so you never have to leave the comfort of your office.)

 

[Scott Burke]

Hi Kelvin,
Thanks for your reply. I like that ideal. I am lost on how
this would work.
1) I can controll the local rights with these groups?
2) do I add these groups to the user when I need to do somthing and then
remove the group when I am done?


PLease expline in more detail on how this ideal will work?


Thank you,
Scott Burke

 

[Kelvin]

Create a Group on your domain, ie "LocalPowerUsers"
Go to a PC that you want give someone Power User rights.
Login as the local Administrator, or a Domain Admin.
Click Start, then right click on My Computer, and from the shortcut menu
choose "Manage".
Go to "System Tools\Local Users and Groups\Groups"
Open the Power Users group and click Add.
Make sure in the box that says "Select this object type" that is says "Users
and Groups". If it doesn't click on Object Type and check the box in front
of "Groups"
Make sure the From this location bix has your domain listed. If not click
the Locations button and select your domain under "Entire Directory".
In the Enter the object names to select, type "LocalPowerUsers" (without the
quotes).
You can click the buttom "Check Names" if you like to be sure you have typed
everything correctly and to ensure the PC can see your domain group.
You're all set. Now just add people to you domain group "LocalPowerUsers"
and the next time they log onto their PC then will have Power User rights.
I add a "LocalPowerUsers" and a "LocalAdminUsers" group to all the computers
on my network when I first set them up.

Who ever you make a memeber of your domain group automatically becomes a
member of the local group, because the Domain Group is a member of the Local
Group...

Hope this helps!

Kelvin

Hi Kelvin,
Thanks for your reply. I like that ideal. I am lost on how
this would work.
1) I can controll the local rights with these groups?
2) do I add these groups to the user when I need to do somthing and then
remove the group when I am done?


PLease expline in more detail on how this ideal will work?


Thank you,
Scott Burke

 

[Scott Burke]

Kevin,
That looks real good. I am going to give it try.

thanks for help.
Scott Burke

 

[Lanwench [MVP - Exchange]]

I want each user to be an administrator on there own computer but not
on the network. the reason is that they need to beable to installl
software and change computer setting anyway they want/need. This is
a magament requirment. They are NOT administrators on the server.

can that be done?
What unknow problems will it cause?
if yes, What about VISTA?

Thank You
Scott Burke

In addition to the other replies

You could use Restricted Groups:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

or, here's what I do:

Set up AD groups called LocalAdmin, LocalPowerUser (or whatever you like).
You can also create one for Remote Desktop access, too - in this case,
RDaccess

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDaccess /add

.........

You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

THAT SAID - it's incredibly bad practice to let users have local admin
rights. Users should not be installing their own software, monkeying around
with network settings, whatnot. This is, frankly, a really dumb management
request.

ALSO: Please, play nice with the other kids in here. Everyone here is
volunteering their time to help out total strangers. There is no guarantee
that you will always get good advice, or advice you like (whether good or
not). Politely thank the people for replying and take what you wish out of
their posts, or ignore them.. Just be aware that an air of entitlement will
not befriend you to the regulars in here and will decrease the odds of your
getting help (again: it's FREE) in the future. Pax, and caveat emptor, and
all that Latin stuff.

 

[Kelvin]

Shenan Stanley's comments about using Group Policies is also relevent.
If you just need to have a setting a certain way and that setting applies to
a group of computer/users then GP might be a better option...

Kelvin

Kevin,
That looks real good. I am going to give it try.

thanks for help.
Scott Burke

 

[Scott Burke]

Thank you everyone.
Sorry I could not write sooner because we have had about three major
disators. I still working on one of them right now. I will write again
soon.


Thanks again
Scott Burke