Re: AD User Rights on Local Machine

From: Mike (mjl000@hotmail.com)
Date: 01/23/03 

From: "Mike" <mjl000@hotmail.com>
Date: Thu, 23 Jan 2003 00:28:28 GMT

As far as I understand, it may be possible, but may currently be beyond your
capabilities.

It is possible to setup OU's and define new Domain groups with appopriate
policies. You don't have to use the builtin Admin, user, power-user groups.
By building your own user group, you can allow all users the appropriate
levels of permissions to run and use any program, but not to install or modify
the system.

Local groups are different from domain groups, but I assume when you mean
"local admin rights" you mean certain "admin capabilities" but not global or
domain rights for admin access. See the first paragraph and find info from
the MS Knowledge base or HowTo's. This is a OU and domain/group policy issue
where you need to know how to customize things.

"Chris Dersham" <cdersham@chemungcanal.com> wrote in message
news:61f701c2be4a$04dced00$d6f82ecf@TK2MSFTNGXA13...
> the problem that i am having is when any user logs onto a
> windows 2000 machine they can't run all the programs..
> (they don't have the correct rights) the only thing that
> works is making them part of the domain admin group. Now
> i know i don't want to do this..but its the only thing
> that works.. is there any way to assign them local admin
> rights without doing it on the local machine? (within
> Active Directory?).. If i do have to add them as Power
> Users or Admins on the Local Machine is there a way of
> adding them to that group using a policy instead of
> visiting each machine. Plus differnt people access
> differnt machines. so it would be very hard to keep up
> with adding each person by hand to the power users group
> whenever they logged onto a differnt machine.
>
> Any help or suggestions would be
> very apreacited.. if you need any more info feel free to
> email me
>
> cdersham@chemungcanal.com
>
> Thanks
>
> Chris
>
>

Relevant Pages