Link to home
Start Free TrialLog in
Avatar of dgimenez
dgimenez

asked on

Domain User accounts with Local administrative rights - is that possible?

Hi.

We use Active Directory, and our desktops are Win2k Pro. We need to create domain accounts wich:

- are simple User accounts on domain
- have some administrator privileges on local machine

We do need this account to be able to create, start, stop and remove Services in local machines, but we cannot allow it to do the same on our Domain Servers.

Is that possible? If it is, how do I accomplish that??

Thanks in advance,
Danilo Gimenez
Avatar of MSGeek
MSGeek

Make domain users members of the local machines administrators group, however by doing this you are heavily compromising your networks secuirty, I am not just refering to what users will be able to do, but viruses & trojans.
ditto.
(despite risks, this is commonly done. I'm afraid)
ASKER CERTIFIED SOLUTION
Avatar of trywaredk
trywaredk
Flag of Denmark image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Jorgen... I was waiting for that, Regards. MSGeek.
MSGEEK... Yes, and you remembered "heavily compromising your networks security"

:o) Regards
Jorgen Malmgren
Avatar of dgimenez

ASKER

Hi Jorgen and folks:

I thank you all for your comments, and I think I have some explanations to give.

I work at a Education Center as a partner of a Database software company. We have lots of students, and at each new week they come here to learn about our Partner's software. Well, it just happens that we do need to give them administrator rights, otherwise they will not be able to do practice labs. It is a requirement from our Partner's software, and today all our students already have administrator rights on their machines. Specifically, they must have the rights to install software (Advanced Users group has it, I know) and to create, modify and remove Services - which, as far as I know, only users with Administrative rights can do.

Unfortunatelly, since they have these rights, obviously they keep messing around with our Windows installations.

I am trying to establish some policies - using Policy Groups at Active Directory server - in a way they still are going to be local administrators, but they will not be able to alter many Windows's properties, such as Network properties, Wallpaper image, hostname, and so on. More than that, they will have to logon at Domain, and this will run a centralized script with our courses' settings.

I don't mind if they are able to do all those remote accesses you've mentioned. Matter of fact, we do that today, and it even help us on our courses! We need to reformat and reinstall all software at each machine from time to time. It is part of our business rules.

I will read carefully those links you've pointed out.

Thanks!!
Danilo Gimenez
I would highly recommend you buy Ghost Corporate Edition.  You can re-imag all the machines in one classroom in 10-30 minutes depending on image size and processor speeds.  There is now way with them being admins to lock these items down, as an admin they can disable all policies very easily.
Jorgen:

I've read all documents you've suggested, and some links from them. I really appretiate your help. Thanks.

Danilo
Jorgen.. you finally got someone to accept that as an answer to their problem.  :)
MSGEEK... Maybe I can keep my parachute now ;O)