Re: Granting Domain Users Local Admin Rights

---

• From: John Wunderlich <jwunderlich@xxxxxxxxx>
• Date: Thu, 16 Apr 2009 22:55:28 -0700

---

=?Utf-8?B?cG93bGF6?= <powlaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:74A9D91F-9978-4AF4-A6EB-C18757217D9C@xxxxxxxxxxxxx:

We have historically done this on our Windows XP Pro/ Server 2003
SP2 AD network: When a user is set up at a computer their domain
login is added to the local PC with administrator rights.
Problems arise when the user goes to another computer where they
haven't been added as a local admin for local admin rights are
required for a couple of our programs to run.

So I began looking for an easier way to do this and discovered a
couple of options:

1. Add the Interactive Users group as to the local admin group
2. Add the Domain Users group to the local admin group

Does anyone know what the difference is? Interactive users are
those sitting at the PC that have authenticated (logged in).
Domain users also have to authenticate so why use one vs. the
other.

Now the "big get". On our network we have never had an incident
that resulted from a user having local admin rights. I realize
that we've been lucky but in a small company without a bad history
(people abusing the local admin priveleges) what do we stand to
gain or how are we protecting ourselves by taking away the local
admin rights for our users? Please be specific.

I work for a not-so-small company and our IT dept does things very
similar to you. Employees are given admin access to their own
machine via their domain login. Communal computers such as
conference room computers and training room computers usually include
"Domain Users" in the local admin group. Communal computers rarely
store data of consequence, so should it become contaminated or
otherwise screwed up, it is simply re-imaged by the IT department --
usually faster than debugging the problem. "Interactive" users can
include local "guest" logins so it is usually preferable for the
Domain to verify the credentials of someone given admin privilege.

HTH,
John
.

---

• References:
  • Granting Domain Users Local Admin Rights
    • From: powlaz

• Prev by Date: Re: Request for Logon password when none set
• Next by Date: Logging users movements
• Previous by thread: Granting Domain Users Local Admin Rights
• Next by thread: Re: Granting Domain Users Local Admin Rights
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: SBS2003 Client Setup Wizard Problem ... I WAS NOT happy with adding users to the local admin group even for first ... they will ask for User Account Control for permission to connect to the domain. ... this user will be added to local admin user group on the client computers. ... (microsoft.public.windows.server.sbs) Re: Client Setup Wizard ... I'm running into a problem on about 4 of the computers. ... At Login (when client setup wizard script runs) on only a few of the ... If I change the the user to a local admin then I don't receive the ... Making users part of the local admin group is unacceptable. ... (microsoft.public.windows.server.sbs) Re: Delegate control questions ... help of Delegation Of Control Wizrad. ... Yes it was a replciation problem, Now I can see all computers ... noticed that if the local admin creates an own mmc with ADUC snap he will ... se the whole AD but have only rights to do something in his OU ... (microsoft.public.windows.server.active_directory) Re: Client Setup Wizard ... I'm running into a problem on about 4 of the computers. ... At Login on only a few of the ... If I change the the user to a local admin then I don't receive the ... Making users part of the local admin group is unacceptable. ... (microsoft.public.windows.server.sbs) Re: Add another domain user group to local administrators of all computers in an OU with removing ot ... rights for your software to run them without being local admin. ... single PCs as needed. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)