Re: Allow Admins to log on to W2K Desktop with Admin Rights
Date: Thu, 15 Jul 2004 08:41:07 -0700
The "net localgroup" command would have been perfect, but
unfortunatly the group we wish to add with the domain
name is longer than 28 characters. The command fails
with a syntax error.
Other than changing the name any further suggestions
would be greatly appreciated.
>You need to have all your workstations under a single
OU. Then, ensure you
>have a security group on the domain that has the correct
membership for your
>support and admin staff.
>Then, create a new Group Policy object and set up a
computer startup script
>(Computer Configuration | Windows Settings | Scripts
>For name, use "net" and for parameters, use "localgroup
>This will execute the command "net localgroup
>/add" each time a machine affected by the policy boots.
>Be aware that if a workstation falls out of scope of
your GPO, the change
>won't be removed from the machine.
>There is a feature called "restricted groups" that
behaves similarly, but
>depending on OS and hotfix level it can either replace
>membership or add to it. The method outlined above is
>Hope this helps
>"Chris" <firstname.lastname@example.org> wrote in
>> We want to have our support and admin staff be able to
>> log onto our W2K desktops with full local administrator
>> rights. All other users needed to have a restricted
>> desktop environment. Also we need to be able to manage
>> these permission groups via AD. We do not want these
>> users to have Domain Admin rights.
>> Can anyone help please?