GPO and Remote Users

Steve · Jul 26, 2004

We need our notebook users who login to their notebooks
with a cached copy of their domain profile when out of the
office to have the same sort of rights as the Power User
would have i.e. install software, add/remove devices etc.

If this is possible how is it done?

Steve

Steven L Umbach · Jul 26, 2004

By default logon on with cached credentials is enabled. You could also add the users
domain account to the local power users group on their computer which may accomplish
what you need, though to remove and add devices they may need to be in the local
administrators group which gives them a lot of power on their local computer , but
you may not have any other option. Keep in mind that both power users and local
administrators can create local users [if they know how] and if they logon with local
user accounts, user configuration Group Policy from the domain will not apply to
them. You can also configure Local Security Policy on a computer via gpedit.msc
which will apply to ALL users that logon with local accounts which may help prevent
the idle curious from changing settings that may cause problems on their computer.---
Steve

Steve Bray · Jul 27, 2004

Cheers for that.

Steve

Steven L Umbach said:
By default logon on with cached credentials is enabled. You could also add the users
domain account to the local power users group on their computer which may accomplish
what you need, though to remove and add devices they may need to be in the local
administrators group which gives them a lot of power on their local computer , but
you may not have any other option. Keep in mind that both power users and local
administrators can create local users [if they know how] and if they logon with local
user accounts, user configuration Group Policy from the domain will not apply to
them. You can also configure Local Security Policy on a computer via gpedit.msc
which will apply to ALL users that logon with local accounts which may help prevent
the idle curious from changing settings that may cause problems on their computer.---
Steve

Steve said:

We need our notebook users who login to their notebooks
with a cached copy of their domain profile when out of the
office to have the same sort of rights as the Power User
would have i.e. install software, add/remove devices etc.

If this is possible how is it done?

Steve

Click to expand...

Steve Bray · Jul 27, 2004

I read on another post in this newsgroup that you can use the following cmd
to add users and that it can be added to the startup/shutdown scripts of a
GPO to automate this process:

net localgroup "local group name" "domain\group name" /add

Do scripts that exist on a DC get replicated to BDC's automatically or do we
need to copy to them to each BDC?

Steve

Steve Bray said:
Cheers for that.

Steve

Steven L Umbach said:

By default logon on with cached credentials is enabled. You could also

Click to expand...

add
the users

domain account to the local power users group on their computer which

Click to expand...

may

accomplish
what you need, though to remove and add devices they may need to be in

Click to expand...

the

local
administrators group which gives them a lot of power on their local computer , but
you may not have any other option. Keep in mind that both power users

Click to expand...

and

local
administrators can create local users [if they know how] and if they

Click to expand...

logon
with local

user accounts, user configuration Group Policy from the domain will not apply to
them. You can also configure Local Security Policy on a computer via gpedit.msc
which will apply to ALL users that logon with local accounts which may help prevent
the idle curious from changing settings that may cause problems on their computer.---
Steve

Click to expand...

Steven L Umbach · Jul 27, 2004

If they are "Group Policy" scripts they will be replicated among all W2K/W2003 domain
controllers in the domain. If you mean NT4.0 when you mention BDC, NT4.0 is not AD
aware though W2K/XP Pro domain computers will obtaing Group Policy scripts from the
W2K domian controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241

Steve Bray said:
I read on another post in this newsgroup that you can use the following cmd
to add users and that it can be added to the startup/shutdown scripts of a
GPO to automate this process:

net localgroup "local group name" "domain\group name" /add

Do scripts that exist on a DC get replicated to BDC's automatically or do we
need to copy to them to each BDC?

Steve

Steve Bray said:

Cheers for that.

Steve

Steven L Umbach said:

By default logon on with cached credentials is enabled. You could also

Click to expand...

add
the users

domain account to the local power users group on their computer which

Click to expand...

may

accomplish
what you need, though to remove and add devices they may need to be in

Click to expand...

the

local
administrators group which gives them a lot of power on their local computer , but
you may not have any other option. Keep in mind that both power users

Click to expand...

and

local
administrators can create local users [if they know how] and if they

Click to expand...

logon
with local

user accounts, user configuration Group Policy from the domain will not apply to
them. You can also configure Local Security Policy on a computer via gpedit.msc
which will apply to ALL users that logon with local accounts which may help prevent
the idle curious from changing settings that may cause problems on their computer.---
Steve

We need our notebook users who login to their notebooks
with a cached copy of their domain profile when out of the
office to have the same sort of rights as the Power User
would have i.e. install software, add/remove devices etc.

If this is possible how is it done?

Steve

Click to expand...

Click to expand...

Steve Bray · Jul 28, 2004

Great, thanks - was referring to a 2K domain! All I have to do is find out
why ZoneAlarm stops the User settings from the GPO and why the script
doesn't work. No rest for the wicked!

Thanks again.

Steve

Steven L Umbach said:
If they are "Group Policy" scripts they will be replicated among all W2K/W2003 domain
controllers in the domain. If you mean NT4.0 when you mention BDC, NT4.0 is not AD
aware though W2K/XP Pro domain computers will obtaing Group Policy scripts from the
W2K domian controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241

Steve Bray said:

I read on another post in this newsgroup that you can use the following cmd
to add users and that it can be added to the startup/shutdown scripts of a
GPO to automate this process:

net localgroup "local group name" "domain\group name" /add

Do scripts that exist on a DC get replicated to BDC's automatically or do we
need to copy to them to each BDC?

Steve

Steve Bray said:

Cheers for that.

Steve
By default logon on with cached credentials is enabled. You could

Click to expand...

also
add

the users
domain account to the local power users group on their computer

Click to expand...

which
may

accomplish
what you need, though to remove and add devices they may need to be

Click to expand...

in
the

local
administrators group which gives them a lot of power on their local
computer , but
you may not have any other option. Keep in mind that both power

Click to expand...

users
and

local
administrators can create local users [if they know how] and if they logon
with local
user accounts, user configuration Group Policy from the domain will not
apply to
them. You can also configure Local Security Policy on a computer via
gpedit.msc
which will apply to ALL users that logon with local accounts which may
help prevent
the idle curious from changing settings that may cause problems on their
computer.---
Steve

We need our notebook users who login to their notebooks
with a cached copy of their domain profile when out of the
office to have the same sort of rights as the Power User
would have i.e. install software, add/remove devices etc.

If this is possible how is it done?

Steve

Click to expand...

Click to expand...