-----Original Message-----
Hello,
I want to give domain users that belong to a single AD
domain the ability to have local administrator rights to
a local computer (so they can install and run local apps
that require it). In other words, I want to give Domain
Users admin rights to a local computer when they log onto
the domain using Domain level Group Policies.
I cannot find in the GP editor in domain Users and
Computers MMC...how can I do this from a domain level to
set approx 1200 computers?
Thanks
.
Dan,
I can only suggest to you that you be extremely careful
with this and reconsider. I speak from experience.
Allowing users to have their domain account a member of
the local Administrators group is asking for a whole new
world of problems for you. There will always be the
users who will not go where they are not supposed to go.
Bless their hearts! And there will always be the users
who want to push everything and go everywhere ( and these
users *usually* have the knowledge and experience to not
casue too many problems ). However, allowing this for
the rest ( the overwhelming majority of users ) is going
to be a huge problem for you. They have access to
everything. People will delete their fonts folder
because they are downloading a ton of music/videos and
are getting low on HDD space. People will install all of
those annoying apps that will casue their system to come
to a crawl ( like HOTBAR! ). People will start changing
things and changing things and eventually come to a place
where they are "stuck" and call you with a problem and
swear up and down that they were not doing anything! All
I can say to you about this is: hope you have a
comfortable place to sleep at the office!
However, if you do decide to do this ( strongly
reconsider ) then take a look at Restricted Groups. Make
sure that you use the "newer" version. I say this
because there were two versions out at one time ( about
six months ago or so ). The "older" version had the
downside that it would kick out all of the "current"
members of the, in your case, local Adminsitrators group
and replace them with whatever group you choose. Think
about that for a second: Domain Admins is no longer a
member of local Adminsitrators group! The "newer" version
simply adds the "whatever group you choose" to the
current members of the, in your case, local
Administrators group.
Take a look at the following MS KB Articles:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;320065&Product=win2000
( this is the one that you want...please look at the
others as well, though )
http://support.microsoft.com/default.aspx?scid=kb;en-
us;810076&Product=win2000
(the way to get the "newer" version that I mentioned )
http://support.microsoft.com/default.aspx?scid=kb;en-
us;320045&Product=win2000
( a general ovrview )
http://support.microsoft.com/default.aspx?scid=kb;en-
us;228496&Product=win2000
( again, for a general overview )
http://support.microsoft.com/default.aspx?scid=kb;en-
us;279301&Product=win2000
( again, for a general overview )
http://support.microsoft.com/default.aspx?scid=kb;en-
us;306100&Product=win2000
( for troubleshooting any problems )
HTH,
Cary