• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

making a domain user admin on their own computer

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
coastalcruiser
Just Arrived
Just Arrived


Joined: 01 Nov 2006
Posts: 0
Location: Big Sur, CA

Offline

PostPosted: Wed Nov 01, 2006 7:03 pm    Post subject: making a domain user admin on their own computer Reply with quote

Stumbling through my first WIN 2003 server deployment. I have a domain user account that is a member of Domain Users global group. I want that user to be a local admin on any worktation they log on to. What is the easiest way to achive this?

I thank you.
Coastal cruiser
Back to top
View user's profile Send private message Visit poster's website
gquitugua
Just Arrived
Just Arrived


Joined: 27 Sep 2005
Posts: 0
Location: Phoenix, AZ

Offline

PostPosted: Wed Nov 01, 2006 7:46 pm    Post subject: Reply with quote

add the domain account to the local administrator group on the box
Back to top
View user's profile Send private message Send e-mail
graycat
SF Mod
SF Mod


Joined: 29 Apr 2005
Posts: 16777195
Location: London, UK

Offline

PostPosted: Wed Nov 01, 2006 8:41 pm    Post subject: Reply with quote

you've got a few options really, but they baiscally boil down to variations of either scripting the user into the local admin group or using restricted groups.

Scripting - run as a startup script and use something along the lines of this batch file:
Code:
net localgroup administrators domain\username /add


Restricted groups - drop the user into a group then use restricted groups enforced via GPO to add that group into the local admins. one word of warning though: restricted groups strip out whatever groups you've got set up on the PCs and enforce from the GPO. You might want to check who you've got running where and what groups Wink
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
coastalcruiser
Just Arrived
Just Arrived


Joined: 01 Nov 2006
Posts: 0
Location: Big Sur, CA

Offline

PostPosted: Wed Nov 01, 2006 9:11 pm    Post subject: Reply with quote

gquitugua:

Right! I was looking at it from the perspective of taking action at the domain controller, not the workstation. In fact although I mentioned a single user in my post (to keep it simple), I in fact needed a group of users to have this power. But I found that by going to the advanced tab I could include a domain group in the member list of local admin group.

Thanx!

graycat:
This is a nice option too if I had a bunch of workstations. In my particular case it will be easy to just go with the other option since I only have 15 stations, and I have to visit them anyway in order to join them to the domain. Thank you.
Back to top
View user's profile Send private message Visit poster's website
gquitugua
Just Arrived
Just Arrived


Joined: 27 Sep 2005
Posts: 0
Location: Phoenix, AZ

Offline

PostPosted: Wed Nov 01, 2006 9:54 pm    Post subject: Reply with quote

Glad to be of assistance and welcome to the forum SF Rules, Yes WE DO!
Back to top
View user's profile Send private message Send e-mail
coastalcruiser
Just Arrived
Just Arrived


Joined: 01 Nov 2006
Posts: 0
Location: Big Sur, CA

Offline

PostPosted: Wed Nov 01, 2006 10:57 pm    Post subject: Reply with quote

And thanx for the warm welcome.

You know, while on the subject of users and admin access to the workstation, I would like to press my luck a bit and get an opinion from you who have been done the "limited rights" road for client stations.

The main reason I wanted to know how to make th euser admin over their own computer is an ace in the hole when a new 2003 server is deployed next week. I curently run 20 XP PRO workstations connected to an ancient Novell server. That server is leaving, and a 2003 server is coming. I noticed right away that on my testbed, after the computer joins the domain and a domain user logs on, there are default security policies applied to the local workstation. That''s great, except that I am concerned something will "break" for the user on rollout day (i.e. can't run certain apps).

In the current environment things break when you change a local user's accoun type from adminstrator to Limited (leaving aside the hole limited user workarounds conecpt). In your experience is it different in the case of a domain account for a user simply being a member of the "Domain Users" group? Am I correct in being afraid . . . very afraid, or does the default configuration usually fly in terms of users still being able to run their apps and such without issues?

I thank you all again.
Back to top
View user's profile Send private message Visit poster's website
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Wed Nov 01, 2006 11:19 pm    Post subject: Reply with quote

typically, just "domain user" is good enough. as long as the apps are installed where domain users have access to their folders they should be able to run their apps. if they can't, then having them as a local power user will give them a bit more control, but not so much that they can do any kind of havoc on your system, imo.
Back to top
View user's profile Send private message
gquitugua
Just Arrived
Just Arrived


Joined: 27 Sep 2005
Posts: 0
Location: Phoenix, AZ

Offline

PostPosted: Wed Nov 01, 2006 11:20 pm    Post subject: Reply with quote

Limited can be done but more often than not, you will have issues with applications due to developers taking into account that all users have full access to the system. More than likely, you will have to do some homework and adjust permissions to get the applications to work. I have yet to lock down a machine where the only solution was to give the user admin rights over the box. I use the tools from sysinternals (Now MS Ninja! ) to figure out what is being denied access and reconfigure from there. That is my preference on how I allow users to run but sometimes it's just easier to allow them to run as local admin. Depends on your situation.

You could try running drop my rights:
http://www.securityfocus.com/infocus/1848

or you could wait till Vista is released early next year in which limited user is built into the o.s.

hth
Back to top
View user's profile Send private message Send e-mail
coastalcruiser
Just Arrived
Just Arrived


Joined: 01 Nov 2006
Posts: 0
Location: Big Sur, CA

Offline

PostPosted: Thu Nov 02, 2006 2:46 am    Post subject: Reply with quote

Yeah. So it's pretty much the drill I thought it to be. Thanx for replies.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register