Local Group Policy

  • Thread starter Thread starter Dan Hurley
  • Start date Start date
D

Dan Hurley

Hello,

I want to give domain users that belong to a single AD
domain the ability to have local administrator rights to
a local computer (so they can install and run local apps
that require it). In other words, I want to give Domain
Users admin rights to a local computer when they log onto
the domain using Domain level Group Policies.

I cannot find in the GP editor in domain Users and
Computers MMC...how can I do this from a domain level to
set approx 1200 computers?

Thanks
 
-----Original Message-----
Hello,

I want to give domain users that belong to a single AD
domain the ability to have local administrator rights to
a local computer (so they can install and run local apps
that require it). In other words, I want to give Domain
Users admin rights to a local computer when they log onto
the domain using Domain level Group Policies.

I cannot find in the GP editor in domain Users and
Computers MMC...how can I do this from a domain level to
set approx 1200 computers?

Thanks

.
Dan,

I can only suggest to you that you be extremely careful
with this and reconsider. I speak from experience.
Allowing users to have their domain account a member of
the local Administrators group is asking for a whole new
world of problems for you. There will always be the
users who will not go where they are not supposed to go.
Bless their hearts! And there will always be the users
who want to push everything and go everywhere ( and these
users *usually* have the knowledge and experience to not
casue too many problems ). However, allowing this for
the rest ( the overwhelming majority of users ) is going
to be a huge problem for you. They have access to
everything. People will delete their fonts folder
because they are downloading a ton of music/videos and
are getting low on HDD space. People will install all of
those annoying apps that will casue their system to come
to a crawl ( like HOTBAR! ). People will start changing
things and changing things and eventually come to a place
where they are "stuck" and call you with a problem and
swear up and down that they were not doing anything! All
I can say to you about this is: hope you have a
comfortable place to sleep at the office!

However, if you do decide to do this ( strongly
reconsider ) then take a look at Restricted Groups. Make
sure that you use the "newer" version. I say this
because there were two versions out at one time ( about
six months ago or so ). The "older" version had the
downside that it would kick out all of the "current"
members of the, in your case, local Adminsitrators group
and replace them with whatever group you choose. Think
about that for a second: Domain Admins is no longer a
member of local Adminsitrators group! The "newer" version
simply adds the "whatever group you choose" to the
current members of the, in your case, local
Administrators group.

Take a look at the following MS KB Articles:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;320065&Product=win2000
( this is the one that you want...please look at the
others as well, though )

http://support.microsoft.com/default.aspx?scid=kb;en-
us;810076&Product=win2000
(the way to get the "newer" version that I mentioned )

http://support.microsoft.com/default.aspx?scid=kb;en-
us;320045&Product=win2000
( a general ovrview )

http://support.microsoft.com/default.aspx?scid=kb;en-
us;228496&Product=win2000
( again, for a general overview )

http://support.microsoft.com/default.aspx?scid=kb;en-
us;279301&Product=win2000
( again, for a general overview )

http://support.microsoft.com/default.aspx?scid=kb;en-
us;306100&Product=win2000
( for troubleshooting any problems )

HTH,

Cary
 
Thanks so much, that worked like a charm....I also
appreciate your concerns about doing this. Unfortunately,
we have a need to do it as we are rolling out a new
enterprise-wide app that every user will need to install
elements and updates on a regular bases. Thanks again!!

Dan
 
-----Original Message-----
Thanks so much, that worked like a charm....I also
appreciate your concerns about doing this. Unfortunately,
we have a need to do it as we are rolling out a new
enterprise-wide app that every user will need to install
elements and updates on a regular bases. Thanks again!!

Dan


.
Dan,

You are welcome. I really hate it when users have to be
a member of the local Administrators group in order to be
able to install software.

I might suggest, then, that you consider using Restricted
Groups. Maybe after the installation of the software you
can remove this??? However, please test this before
implementing it. I have seen situations before where you
install the application as the local Administrator ( to
that local machine ) and then log on as the user ( using
the domain user account ) as a member of the local Admins
account. You change that later to Power user and the
application does not run anymore!!!!!

HTH,

Cary
 
Back
Top