problem with giving domain users local admim rights

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have server 2000 running and have created a security group with certain
users added to it.
I want these users to have local admin rights to all workstations in the
domain. So I created a logn script and added the net localgroup
"domain\group" /add, and then applied to the domain thru gpo on the logon
script part. for wahtever reason this is not adding the security group to the
local admin group on the workstation. The rest of the script works fine
though.
 
vamshi said:
I have server 2000 running and have created a security group with
certain users added to it.
I want these users to have local admin rights to all workstations in
the domain. So I created a logn script and added the net localgroup
"domain\group" /add, and then applied to the domain thru gpo on the
logon script part. for wahtever reason this is not adding the
security group to the local admin group on the workstation. The rest
of the script works fine though.
Click to expand...

Is the login script running under the user's credentials? They can't grant
themselves more rights than they have now.

I strongly suggest you rethink this anyway - users shouldn't have local
admin rights. Very Bad Things can happen this way.
 
I applied the logon script to the OU the users are in thru gropu policy under
user config.\windows settings\logon etc.
they need admin rights because we are cconstantly evaluating new software
from companies we do business with. And also there are updates to these third
parry programs that come out on a monthly basis. This would allow users to
install stuff llike hotbar and weatherbug, but we can scan the network for
those and have users remove it. It would be less administration if users had
admin rights. and anybody that abuses those privilges will be dealt with on a
case by case basis.

Should i run this script at statup instead
 
vamshi said:
I applied the logon script to the OU the users are in thru gropu
policy under user config.\windows settings\logon etc.
Click to expand...

OK - as said, a user cannot grant himself more permissions than he already
has.
they need admin rights because we are cconstantly evaluating new
software from companies we do business with. And also there are
updates to these third parry programs that come out on a monthly
basis. This would allow users to install stuff llike hotbar and
weatherbug, but we can scan the network for those and have users
remove it. It would be less administration if users had admin rights.
and anybody that abuses those privilges will be dealt with on a case
by case basis.

Should i run this script at statup instead
Click to expand...

You need to run it under computer, not user, I think.
 
Lanwench, Vamsi,

comments in-line......

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Lanwench [MVP - Exchange]"
OK - as said, a user cannot grant himself more permissions than he already
has.
Click to expand...


Correct! Think about the consequences were this not the case. Network
Security would be a complete farce. Users would be able to make themselves
members of the local Administrators group and God knows whatelse.

This logon script would actually need to be a start up script.

And, there is a much better way to do this. Look into the Restricted Groups
GPO. Here are two MSKB Articles that will get you going:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076


You might want to look into the Restricted Software GPO to help out with
this. Granted, in a WIN2000 environment there is an easy way around this
for the end-user ( simply rename the .exe or whatever ) but with WIN2003
this is not possible as a hash is used...renaming the .exe or whatever does
not make a hill of beans of difference.

You also might want to take a workstation and try to install the software on
it. Assuming that this fails then you might want to take a look at regmon
and filemon from http://www.sysinternals.com to figure out where the failure
is occuring.
You need to run it under computer, not user, I think.
Click to expand...


I will spare you the stories that I could tell you about users deleting all
of their fonts because they needed special fonts and did not want to have to
remember which ones were special or about the users who deleted a ton of
things to make room for their music files or......

I never never never encourage this and do just about everything to prevent
this. Domain user account objects should be in the USERS or at most POWER
USERS local groups....no more.
 
Lanwench MVP - Exc said:
OK - as said, a user cannot grant himself more permissions
than he already
has.


You need to run it under computer, not user, I think.
 >> vamshi wrote:
  >>> I have server 2000 running and have created a
security group with
  >>> certain users added to it.
  >>> I want these users to have local admin rights
to all workstations in
  >>> the domain. So I created a logn script and
added the net localgroup
  >>> "domaingroup" /add, and then applied to the
domain thru gpo on the
  >>> logon script part. for wahtever reason this is
not adding the
  >>> security group to the local admin group on
the workstation. The
  >>> rest of the script works fine though.
 >>
 >> Is the login script running under the user's
credentials? They can't
 >> grant themselves more rights than they have now.
 >>
 >> I strongly suggest you rethink this anyway - users
shouldn't have
 >> local admin rights. Very Bad Things can happen this
way.
Click to expand...

Hi,

You need to investigate Restricted Groups. Here you can add domain
accounts to local accounts on machines. A script won’t do that I am
afraid.

Cheers,

Lara
 
lforbes said:
Hi,

You need to investigate Restricted Groups. Here you can add domain
accounts to local accounts on machines. A script won't do that I am
afraid.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's
request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Group-...n-users-local-admim-rights-ftopict256862.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=796060
Click to expand...
 
You can use a script to add domain user/group to the local administrators
group of domain computers using the "net localgroup" command. It must
however be a startup script which will then run in system context. It works
well in situations where you do not want to use restricted groups due to the
fact that it may remove all current users/groups in the local administrators
group of the domain computer. --- Steve
 
Back
Top