?
Solved

Group Policy and new users question

Posted on 2003-03-10
16
Medium Priority
?
135 Views
Last Modified: 2010-04-13
I have a Small Business Server installation at an office where we have more users than computers. We use roaming profiles to let all the users on the network and gain access to their data. We also have a fair amount of turnover so users are being added and deleted all of the time. When I add a new user and they use any of the Office programs for the first time on a computer it launches the Windows Installer to let them finish the initial setup for that program for each user. If this user has not be given explicit local administrator privledge, they can't finish the install and just get an error code. If the users is given local admin privledges, then the installation finishes with no problem and its never an issue again. Right now I have to go to each computer that the new user works on and give them local admin privledges; which is ineffecient and time-consuming (and not as secure as I'd like). What I would like to do is create a Group Policy that allows users to either (in order of preference):

a) Be able to finish the install of these programs without having to be local admins

or

b) Allow users to be local admins of these computers when their accounts are created

I'd like to create this policy on the DC so I can have as centralized as possible administration for the network.

Thanks!
0
Comment
Question by:ssittig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
16 Comments
 

Accepted Solution

by:
m0nst3r earned 1000 total points
ID: 8104755
You have a couple of options. in a w2k domain environment you can use the group policy to "elivate rights for installs" or you can use "mmc" to connect to each pc and assign "Everyone" to the local administrators group which will accomplish what you need.
0
 
LVL 1

Author Comment

by:ssittig
ID: 8105211
Elevating rights for installs seems like it would be perfect for what I am doing. Is there any reason why I would need to have "everyone" be a local admin for the machines? I would just love to not give users that privledge so I could have some control over what is happening on the network.

Thanks for your help.
0
 

Expert Comment

by:m0nst3r
ID: 8105366
there is no need to give everyone local admin rights if you are going to use the GP to evevate rights. Although giving local admin rights does not give the user admin rights on the network, that is decided by the groups you have them assigned to. Remember though, there are 2 types of access, local pc and domain, so putting everyone in the local admin group does help out with installs, printers, and some programs that need admin rights, without giving the basic user too much.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 9

Expert Comment

by:MSGeek
ID: 8105726
One other solution that has worked for me was to launch the prograsm as the administrator, once done running the install wizard, copy the administrators profile over the default user profile.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8105887
:o) ssittiq..., and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER NEVER grant Everyone membership of the LocalAdminGroup on each workstation.

And You must NEVER NEVER grant a DomainUserGroup membership of the LocalAdminGroup on each workstation.

And You must NEVER grant the same DomainUser membership of the LocalAdminGroup on more than his/hers own workstation

If You grant Everyone membership of the LocalAdminGroup, Everyone gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. ComputerManagement (Control Panel)

If You want to know about this issue, look at my question on http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html or look at my describtion about this problem on http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8105968
:o) ssittiq..., and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER NEVER grant Everyone membership of the LocalAdminGroup on each workstation.

And You must NEVER NEVER grant a DomainUserGroup membership of the LocalAdminGroup on each workstation.

And You must NEVER grant the same DomainUser membership of the LocalAdminGroup on more than his/hers own workstation

If You grant Everyone membership of the LocalAdminGroup, Everyone gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. ComputerManagement (Control Panel)

If You want to know about this issue, look at my question on http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html or look at my describtion about this problem on http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8105979
:o) Sorry - I accidentially hit the refresh button
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8106005
MSGeek.. Never use Explorer to copy profiles, always use UserProfiles when RightClicking MyComputer\Properties.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8106008
trywaredk.. You must NEVER NEVER NEVER hit the refresh button on EE!  :)
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8106018
I nvere advised the use of explorer to copy profiles, where did you get that idea???
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8106171
:o) MSGeek.. It could be misunderstood, that You advised to COPY the administrators profile over the default user profile.
 

0
 

Expert Comment

by:m0nst3r
ID: 8106226
Well I tested your theory that "Local\Everyone" in the "Local Administrators" group has remote access to the \\xxx\C$ share. And it is not true in a domain environment. Those shares are for remote NETWORK admin access, and therefore not accessable to the "Domain Users" group. For it to be true a user has to be signed on to a local computer with Admin rights (not the domain) AND have a "local" user account on the remote PC.
In a domain environment users have to be given specific rights to network resources.
As far as the registry and computer management they do have access to it ONLY on the local machine, and that can be controlled through the use of policies.
Also i distinctly remember saying that the installs can be controlled using the GP by elevating rights for installs only which would also solve this problem.
0
 

Expert Comment

by:m0nst3r
ID: 8106517
Well I tested your theory that "Local\Everyone" in the "Local Administrators" group has remote access to the \\xxx\C$ share. And it is not true in a domain environment. Those shares are for remote NETWORK admin access, and therefore not accessable to the "Domain Users" group. For it to be true a user has to be signed on to a local computer with Admin rights (not the domain) AND have a "local" user account on the remote PC.
In a domain environment users have to be given specific rights to network resources.
As far as the registry and computer management they do have access to it ONLY on the local machine, and that can be controlled through the use of policies.
Also i distinctly remember saying that the installs can be controlled using the GP by elevating rights for installs only which would also solve this problem.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8106655
M0nst3r..

Credentials in W2k is given in the second where You press ENTER to password when logging on.

Try again after logout and logon, and You will see, that You're wrong, and I am right about the local admin group.

By the way - when testing it - You have to grant Everyone to the local admin group on BOTH test-workstations, and logout and logon again.

Please reply, when You have removed Everyone again!
0
 
LVL 1

Author Comment

by:ssittig
ID: 8134767
m0nst3r,

Thanks, where can I find the elevate users rights for installs?

Thanks
-S
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8136843
:o) Dear friends - Please realize, that being member of the local admin group means what it says - You can do anything You like with Your workstation:

1.  Create a local account on the workstation, and add this local account to local admin group
2.  Logon locally as the new local account
3.  RightClick MyComputer
4.  Choose Manage
5.  Choose Local Users and Groups
6.  Choose Groups
7.  Choose Administrators
8.  Choose Add...
9.  Choose Your Domain in Look in:
10. Logon as an ordinary DomainUser (NOT member of Local or Global Admin Group): Input Domain Name\Domain User Name and Domains Users password
11. Add Your own ordinary Domain User Name
12. Apply and log off.
13. Logon to Your Domain as an ordinary Domain User

Surprise for some of You - Your Domain User is still member of local admin group.

:o) And we can't do anything about it - or can we???

The problem is that more and more programs UPDATES themselfes while users are logged on, requirering them being members of the local admin group.

Being that - they can do an unlimited remote access to every other workstation on the network, if the also are member of the local admin group on the remote workstation.

Some are, because some it-sysadms places Domain Groups in local admin group.

And You can't do anything about it with policy, if You (being member of the Global admin group) want to be able to do remote administration of Your all Your workstations.

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Summer 2017 Scholarship Winners have been announced!
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question