Re: Admin right for station
From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 11/24/05
- Next message: barrie: "spyware program"
- Previous message: Doug Knox MS-MVP: "Re: copy user accounts"
- Maybe in reply to: Steven L Umbach: "Re: Admin right for station"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Admin right for station"
- Reply: Lanwench [MVP - Exchange]: "Re: Admin right for station"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Nov 2005 14:55:54 +0100
Hi,
You could add "NT Authority\Interactive" to the local Administrators
group to let all domain users automatically be local admins when they
log on to a computer interactively.
This is more secure than adding "Authenticated Domain Users",
"Domain Users", "NT AUTHORITY\Authenticated Users" or any other
global security group because you avoid the issue with cross
network admin rights (remote access) that these groups introduces.
You can do this operation in a computer startup script (with a
GPO) that runs as part of the boot up process (before the user logs
in). It runs under the system context and has admin rights.
Be sure to not do this on servers though!
Adding it to the Administrators group with a command line in a bat
file:
%SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators"
"NT Authority\Interactive"
(the command above will wrap over to lines in the newsgroup post, it
needs to be adjusted to be all on one line)
Adding it to the Administrators group using VBScript:
'--------------------8<----------------------
Option Explicit
Dim objNetwork, strComputer, objLocalGroup
' create network object for the local computer
Set objNetwork = CreateObject("Wscript.Network")
' get the name of the local computer
strComputer = objNetwork.ComputerName
' bind to the group
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
' add NT Authority\Interactive to the group
On Error Resume Next ' suppress error in case it is already a member
objLocalGroup.Add("WinNT://NT Authority/Interactive")
On Error Goto 0
'--------------------8<----------------------
Crown Royal wrote:
> I would love to know how to give my users admin right to their own station.
> The only thing that has worked for me is to go to the station and change the
> security settings on both the C drive and the registry. They are logging on
> to a domain, so it's taking the domain user persmissions. I tried giving
> them administrator rights on their account, but I guess it doesn't mean local
> admin rights. Some sofware that they are running needs them to be
> adminstrators of their own station, and going to each to edit the rights on
> the station is ridiculous. I've tried going around to the group policies,
> but can't seem to find out how to change the policy to make it work.
>
> Thx
-- torgeir, Microsoft MVP Scripting, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: http://www.microsoft.com/technet/scriptcenter/default.mspx
- Next message: barrie: "spyware program"
- Previous message: Doug Knox MS-MVP: "Re: copy user accounts"
- Maybe in reply to: Steven L Umbach: "Re: Admin right for station"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Admin right for station"
- Reply: Lanwench [MVP - Exchange]: "Re: Admin right for station"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
