Re: Domain Users to have Local Admin rights

In this case you can still use Group Policy but in this case you can use
_startup_ script (_not_ logon script) to add e.g. Help Desk group to local
Administrator group on all the computers. The script that you can use looks
like this

net localgroup Administrators domain\HelpDesk /add

domain in above command is netbios name of your domain.

This way HelpDesk will only be added -- without removing any other groups.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1255jubreasa613@xxxxxxxxxxxxxxxxxxxxx
well here is the problem. That I am not sure about using Broosters
solution.

We have various admin accounts other then administrator
on some of the client machines, and we do not want to
have it remove those, because some are laptops and they
use those accounts when they login at home. Is there anyway to be able to
keep their current admin accounts also?


"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:ec6NvGwaGHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Brooster posted a solution to your question.

What I would like to add is a warning against using domain administrator
accounts to logon to user computers.
So simply put -- don't use accounts that have domain administrator
permissions for logging on to client computers. Use these accounts only
for working on domain controllers.
For logging on to client computers create new accounts (e.g. admin-mike,
admin-greg, etc) and add them to a group called e.g. Help Desk. Now add
this group to Local Administrator group by using solution proposed by
Brooster.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1254qjd2uso6j84@xxxxxxxxxxxxxxxxxxxxx
Ok we recently installed Microsoft Server 2003 Enterprise Edition on our
PC. The whole domain is working and everyone has thier own login that
works. The only thing is, those users do not have local admin privledges
on the PCs they logon to.

We wish to have a handful of users, HelpDesk, that when they login to
any machine, they automatically get admin privledges on the workstation.

We tried playing with Group Policy Editor but nopthing at all will work.







.

Relevant Pages

  • Re: debugger user autochange
    ... One possibility could be that Group Policy Restricted Groups are being ... applied to the computers in question. ... I think I failed to convey the problem clearly - the user accounts ... domain/userxyz assigned to the administrator group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain Users to have Local Admin rights
    ... We have various admin accounts other then administrator ... administrator accounts to logon to user computers. ... Now add this group to Local Administrator group by using ...
    (microsoft.public.windows.server.security)
  • Re: Domain Users to have Local Admin rights
    ... But then we are startup scripts? ... Administrator group on all the computers. ... We have various admin accounts other then administrator ...
    (microsoft.public.windows.server.security)
  • guest users still able to access my computer, how to stop this?
    ... >I have set up my admin accounts on 3 computers using xp ... >These guest accounts are still able to access the ...
    (microsoft.public.windowsxp.security_admin)
  • guest users still able to access my computer, how to stop this?
    ... I have set up my admin accounts on 3 computers using xp ... All are linked together via, a switch, to a dlink router, ...
    (microsoft.public.windowsxp.security_admin)