kmno
asked on
NT Domain / Local Acct question
I have a domain in which I need to ensure that all 200 users in the domain have admin access to their LOCAL machine accounts. Instead of sending an email to the users, is there a script or something that I can run when a domain user logs in that will let me know if they have admin rights to their machine?
With only 200 PCs, I would just add the group "Domain Users" as local administrators, then you dont have to worry when users switch PCs. Then do this for all new PCs as you receive them.
Benplace ! Welcome to E-E! Its common courtesy to provide comments unless you know your answer is the only answer and is 300% correct and is what the questioner is looking for and will fix their problem. Please don’t take this personally, (others could let you know before I and not so diplomatically) I made the same mistake when I first arrived and someone was nice enough to point it out to me (It hurt my feelings, but I soon realized its teamwork that’s used here). This accomplishes a couple of things: First: it doesn't lock the question allowing more exposure to other experts allowing a faster fix (many problems require an interactive dialogue to troubleshoot them properly), Secondly: it gives the questioner the option to make an award based on the best comment that helped the most in fixing their problem and it is also is common courtesy to other experts. Again welcome and look forward to working with you in the future, a lot of teamwork is used at this forum, as you will see! :>) Quote shamelessly stolen from Dave, Thanks again Dave
Your answer may be correct, and I hope it is, after all the main goal here is to help the questioner, but when you propose an answer it removes the "accept comment as answer" button thereby robbing the questioner of the choice to choose which expert helped the most. If your comment is chosen by the questioner, you will be awarded the points.
Thank you
Steve
Your answer may be correct, and I hope it is, after all the main goal here is to help the questioner, but when you propose an answer it removes the "accept comment as answer" button thereby robbing the questioner of the choice to choose which expert helped the most. If your comment is chosen by the questioner, you will be awarded the points.
Thank you
Steve
ASKER
Thanks for the proposed answer. What I am looking to find out is if the users have local admin rights on their box. So instead of calling each user to see if they have admin rights to their machine I was hoping for more of an automated test so I would not have to check each machine. We are running a WIN 2k Migration and the users need admin rights to their machines before the machine is migrated. Thanks!
Try this:
http://www.securewave.com/products/free_utilities/check_admin/checkadm.html
I believe it goes through your network and checks each PC to see if they have admin rights.
http://www.securewave.com/products/free_utilities/check_admin/checkadm.html
I believe it goes through your network and checks each PC to see if they have admin rights.
ASKER
That is a useful app but I need to check the Local Admin account on each specific machine, not the domain accts. I need something that goes to the actual machine and see if that user has admin rights to the local machine.
Can you clarify, You are looking to programatically determine if the 'Domain User' account is a member of the local Administrators group on NT Workstations? Or do the users have 'Local User' accounts and you want to determine their group membership?
ASKER
llvquid - -
Thanks for the reply - I would like to make sure that the domain user account has admin rights to the local machine. So I have user jonest - I want to make sure jonest has admin rights to his local machine. I would like to find this out in an "automated" way. This might not even be possible, but I just wanted to see if anyone had any ideas. Thanks!
Thanks for the reply - I would like to make sure that the domain user account has admin rights to the local machine. So I have user jonest - I want to make sure jonest has admin rights to his local machine. I would like to find this out in an "automated" way. This might not even be possible, but I just wanted to see if anyone had any ideas. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like Ben has a pretty good answer
ASKER
I will give it a shot and report back. Thanks!
ASKER
That did exactly what I needed! Thank you!!
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.
And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation
If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.
And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation
If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
http://www.jsiinc.com/subk/tip5300/rh5319.htm