bluez
asked on
Groups and admin rights
Topology:
Advanced server 2000 and 2000 clients.
We need to rollout various software. My question is about User rights. I dont want local admin rights to the client machine to install software.
What is the best way to assign temporary rights for program install. For eg. In NT4.0 I would do the following:
1. Create a global group ie UserAdmins
2. Add this to the administrators group on each machine(client)
3. assign users to useradmins when required.
I dont really want to go around every machine doing this.
I have created a group UserAdmins on the 2000 domain and added users, also member of admin group global.
When the users logon they don't get any admin rights. If i add them to the DomainAdmins group they get admin rights.
Cheers
Advanced server 2000 and 2000 clients.
We need to rollout various software. My question is about User rights. I dont want local admin rights to the client machine to install software.
What is the best way to assign temporary rights for program install. For eg. In NT4.0 I would do the following:
1. Create a global group ie UserAdmins
2. Add this to the administrators group on each machine(client)
3. assign users to useradmins when required.
I dont really want to go around every machine doing this.
I have created a group UserAdmins on the 2000 domain and added users, also member of admin group global.
When the users logon they don't get any admin rights. If i add them to the DomainAdmins group they get admin rights.
Cheers
Why dont you assign or publish the software packages to the PCs at log on using an msi file.
The software can either be installed when the PC starts up or when the user first decides to use the program.
You can set up GPOs for each application. Or put themall together in a single GPO.
The other good thing about doing it this way is you can set up another GPO to uninstall the software when the user no longer requires it. (Good for license maintenance)
The software can either be installed when the PC starts up or when the user first decides to use the program.
You can set up GPOs for each application. Or put themall together in a single GPO.
The other good thing about doing it this way is you can set up another GPO to uninstall the software when the user no longer requires it. (Good for license maintenance)
ASKER
1.I have used icw for msi installs.
How do I do what you suggest ie publish package at startup, or when first run?
How do I do what you suggest ie publish package at startup, or when first run?
There are lots of articles describing deploying software in Windows 2000. For a description of the process
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9625
For a description on how to do it
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q302430
I've used it several times for small scale rollouts (playing really) its not too difficult
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9625
For a description on how to do it
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q302430
I've used it several times for small scale rollouts (playing really) its not too difficult
ASKER
Note:
I can use the net command
net localgroup administrators AdminUsers /add
This only works for local logon administrator
Does anyone have any ideas how to get this to work via the logon script
I made the presumption if the users where in an admin group they could run the command at logon, but not so.
Of course the simple way is to add users to DomainAdmins, but this leaves too much of a security hole ( local machines have global account domainusers logged in>
I can use the net command
net localgroup administrators AdminUsers /add
This only works for local logon administrator
Does anyone have any ideas how to get this to work via the logon script
I made the presumption if the users where in an admin group they could run the command at logon, but not so.
Of course the simple way is to add users to DomainAdmins, but this leaves too much of a security hole ( local machines have global account domainusers logged in>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your input into this question.
Here is an example script in vbScript.
Dim oDomain 'For Domain Object
Dim oG_AdminGroup 'For Global Group
Dim oL_AdminGroup 'For Local Admin Group
Const DomainName = "Your Domain"
Const GlobalGroup = "Your GlobalGroup"
set oDomain = GetObject("WinNT://" & DomainName)
set oG_AdminGroup = GetObject("WinNT://" & DomainName & "/" & GlobalGroup)
oDomain.Filter = Array("Computer")
For Each Computer in oDomain
set oL_AdminGroup = getobject("WinNT://" & Computer.Name & "/Administrators")
oL_AdminGroup.Add oG_AdminGroup.AdsPath
Next
set oDomain = Nothing
set oG_AdminGroup = Nothing
set oL_AdminGroup = Nothing