Local admin rights?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I have a client running a Novell and WindowsNT4.0 environment. When users
log into Novell, they are also logged onto the domain (since passwords
match). Currently, no one has local admin access to their own machine, so
they cannot install software, use Windows Update, etc. What is the easiest
way to give a user local admin rights to their own machine under WinNT4.0? I
tried creating a local account on the workstation, but then realized that the
user never logs on to this workstation account since they are authenticating
to the domain. Users need to be able to install software, use Windows
Update, etc. The only stipulation is that users should NOT be able to view
another machine's C: drive (i.e., \\machine-name\c$).

Thanks for any advice-
Shane
 
Add the user's domain account to the local Administrator's group on each
individual workstation. Be sure to add only the domain account of the user
who "owns" that machine, so that they cannot access each others'
information.
 
While adding a the user's domain account to the local
machine's Administrators group accomplishes your
objective, it is, IMO loosing ground. Instead, tell them
that they need to log off from their domain account and
then log in with the local account you have already
defined in order to install software, or use Windows
Update. If you have a Windows (post-NT4) server with
IIS you could consider installing a SUS server so that
the users would not need to visit Windows Update for
security patches.
 
Shane said:
Hello,

I have a client running a Novell and WindowsNT4.0 environment. When users
log into Novell, they are also logged onto the domain (since passwords
match). Currently, no one has local admin access to their own machine, so
they cannot install software, use Windows Update, etc. What is the easiest
way to give a user local admin rights to their own machine under WinNT4.0? I
tried creating a local account on the workstation, but then realized that the
user never logs on to this workstation account since they are authenticating
to the domain. Users need to be able to install software, use Windows
Update, etc. The only stipulation is that users should NOT be able to view
another machine's C: drive (i.e., \\machine-name\c$).
Hi

We add "NT Authority\Interactive" in the local Administrators
group to let all domain users automatically be local admins
when they log on to a domain computer interactively.

This is more secure than adding "Authenticated Domain users ",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.
 
A small handful of users needs to be able to install
programs periodically on WinXP workstations. We have no
Windows Domain here, and by default all users are made
members of the Power Users group.

Rather than make these users members of the local
Administrators group, I was wondering if one of the local
User Right settings could be modified to allow them to
accomplish a periodic software install?
 
There is not a user right that can accomplish that but if the software
install is a .msi package or can be converted into a .msi package then you
can modify the local Group Policy so that .msi applications are always
installed with elevated permissions. Local Group Policy is opened via
gpedit.msc and on a local computer will apply to ALL users that use the
computer. You would have to enable always installed with elevated
permissions in both computer and user configuration. The link below explains
more. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/324.asp
 
Thanks a lot Steve. This is just what I was looking for.
I simply did not know precisely what to ask for.
 
You know, I have tried very hard to drill down to this
article in the MSDN Library though its Table of Contents
without success. I sometimes find it useful to do this so
as to identify what subtle associations the author is
making about this subject matter.

Alternatively, I can find this article by searching
for 'elevated permissions' ok.
 
Back
Top