Re: How2: User Rights on Domain but Admin Rights on Computer

You can add domain users to the local Administrators group with
filtering function through Restricted groups by using Member of
functionality (2k3 supports this as well). Because any application that
installs device drivers or registers the service on local machine
requires the principal to have local administrative privilidges there
are reasons to do that sometimes. Even educational products such as
Mathworks MATLAB for example install their services. MATLAB installs
its MATLAB server service. Defragmentation software installs its
services on machine. If we're talking about networking software such as
network analyzers, bandwidth meters they always install their drivers
on the machine. But you can restrict your user rights and still leave
them with ability to install this software. You simply can install that
software automatically when users log on to their computers with group
policy or with desktop management software. I prefer to use Desktop
Authority (http://www.scriptlogic.com/da), desktop management tool from
Scriptlogic. I can set application to run under administrative
priviledges. User would get it installed on his machine and would be
able to run it even if he is just a member of domain users group. If
application requires extra priviledges on registry hives or on
services, I can change them remotely using Scriptlogic's Security
Explorer (http://www.scriptlogic.com/securityexplorer). I just
experiment first on my test machine to track which service and key
requires which type of priviledges. I can create a template that
contains needed ACEs, assing it to group and apply created ACL template
to specified set of services. User gets the ability to use the service
through the program but other keys that aren't used by this programs
are intact and protected.
Tom C. wrote:
We have a pretty simple setup: Single Win2K3 Server/DC and may 8 or 10
client machines. We have a couple of users that we have assigned only a user
group membership on the domain because we don't want them messing with files
on the server shares. But at the same time, the user level login restricts
them on their personal clients to where they can't install software or even
run some software. How do I keep them as users on the domain but at the same
time give them administrative (read, FULL) access to their individual client
machines? Thanks, tom c

.

Relevant Pages

  • Re: Rights on Xp in 2000 Domain
    ... few users could not run MS Access 2000 unless they were a member of the ... local Administrators group. ... > systems Admin group and couldn't do it, ... >> Another idea is for you to install all of the software that they are ...
    (microsoft.public.win2000.active_directory)
  • Re: Prevent user to install software
    ... >member of the computer's local Administrators group how ... >domain user account could be prevented from installing ... If your domain user account object is a member ... >assuming that you are trying to install software and are ...
    (microsoft.public.win2000.group_policy)
  • Re: problem with logon on a windows 2000 or XP client machine
    ... member of the local users groups. ... the local administrator group on the computer), I get my desktop and I ... When I add the domain users ... to the local administrators group and log in with a domain user ...
    (microsoft.public.win2000.security)
  • Re: Please help with folder permissions
    ... All the domain users are a member of the local administrators group. ... If I remove domain users from local administrators it all works fine! ... The user becomes the owner not the local admin group. ...
    (microsoft.public.win2000.security)
  • Re: Login Script
    ... > If userA is a member of DOMAIN USERS and is a LOCAL ADMINISTRATOR to ... >>> a helpdesk person) to not be a member of "Domain Admins", ... LOCAL ADMINISTRATORS group with below code in FIGURE 1, ...
    (microsoft.public.win2000.active_directory)