esc_toe_account
asked on
Administrator rights vary in different profiles
On some of our Win2000 Pro PCs, profiles are set with administrator rights, yet do not have all administrator privleges.
Why is this? How can we give a profile FULL administrator rights?
So that, for example, it can access Users and Passwords from the Control Panel without providing another logon and password, install all software, etc.
On other PCs set up the same (as far as checking privleges shows) full administrator rights are available.
Why is this? How can we give a profile FULL administrator rights?
So that, for example, it can access Users and Passwords from the Control Panel without providing another logon and password, install all software, etc.
On other PCs set up the same (as far as checking privleges shows) full administrator rights are available.
ASKER
Local Account .. have removed from the Administrator Group, rebooted, and added back without success. Now trying different ways of removing and readding.
once the account change is made, the account needs to be logged out of and then back in for the change to take effect.. Perhaps that is the problem
HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
ASKER
Rebooting encompasses logging .. we DO log back in without success.
ASKER
Clarification: We reboot twice, before and after change.
I'll tell you the way we do it, and you can try it out. :-)
Assuming the machine is part of a domain, always use the domain logins for the users.
On the domain, we have a group called "local admins" and we join anyone that we want to have rights on their PC, into that group.
Then, on the PC itself, in the local groups, we add the domain group called "local admins".
Login as domain user, and bingo, off you go...
Worked just fine for me. :)
Andrew
Assuming the machine is part of a domain, always use the domain logins for the users.
On the domain, we have a group called "local admins" and we join anyone that we want to have rights on their PC, into that group.
Then, on the PC itself, in the local groups, we add the domain group called "local admins".
Login as domain user, and bingo, off you go...
Worked just fine for me. :)
Andrew
esc_to_account... What You must do, is to add the Global Domain Admins Group to the Local Admins Group!
IMPORTANT!!!!!
:o) esc_to_account...AndrewBie nhaus..., and everybody else.
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.
And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation
If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/e
valuate/featfunc/07w2kadc. asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
IMPORTANT!!!!!
:o) esc_to_account...AndrewBie
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.
And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation
If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/e
valuate/featfunc/07w2kadc.
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Sorry - broken line in links:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
Dear expert(s),
A request has been made to close this Q in CS:
https://www.experts-exchange.com/questions/20564414/Please-Delete-http-www-experts-exchange-com-Operating-Systems-Win2000-Q-20546327-html.html
Without a response in 72 hrs, a moderator will finalize this question by:
- Saving this Q as a PAQ and refunding the points to the questionner
When you agree or disagree, please add a comment here.
Thank you.
modulo
Community Support Moderator
Experts Exchange
A request has been made to close this Q in CS:
https://www.experts-exchange.com/questions/20564414/Please-Delete-http-www-experts-exchange-com-Operating-Systems-Win2000-Q-20546327-html.html
Without a response in 72 hrs, a moderator will finalize this question by:
- Saving this Q as a PAQ and refunding the points to the questionner
When you agree or disagree, please add a comment here.
Thank you.
modulo
Community Support Moderator
Experts Exchange
ASKER
Good information for new setups, but no understanding of why or how to change existing setups - which is the goal of my question. Hence I'm not sure how to award points. Any suggestions? Otherwise will just close question.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The above 2 solutions has to be done on each workstation logged on as member of the local admin group:
To find out who's member of the local admin group, do this on each workstation:
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
To find out who's member of the local admin group, do this on each workstation:
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
Is the user profile your trying to give admin privaleges to a local account or domain account. I you give the priveleges to say "computername\BobsAccount"