?
Solved

Domain User accounts with Local administrative rights - is that possible?

Posted on 2003-03-25
10
Medium Priority
?
190 Views
Last Modified: 2013-12-04
Hi.

We use Active Directory, and our desktops are Win2k Pro. We need to create domain accounts wich:

- are simple User accounts on domain
- have some administrator privileges on local machine

We do need this account to be able to create, start, stop and remove Services in local machines, but we cannot allow it to do the same on our Domain Servers.

Is that possible? If it is, how do I accomplish that??

Thanks in advance,
Danilo Gimenez
0
Comment
Question by:dgimenez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8205586
Make domain users members of the local machines administrators group, however by doing this you are heavily compromising your networks secuirty, I am not just refering to what users will be able to do, but viruses & trojans.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8212160
ditto.
(despite risks, this is commonly done. I'm afraid)
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 300 total points
ID: 8217116
DQIMENEZ... As MSGEEK answered, please be carefull with members of the LOCAL admin group:


:o) PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 9

Expert Comment

by:MSGeek
ID: 8217159
Jorgen... I was waiting for that, Regards. MSGeek.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8220136
MSGEEK... Yes, and you remembered "heavily compromising your networks security"

:o) Regards
Jorgen Malmgren
0
 

Author Comment

by:dgimenez
ID: 8224427
Hi Jorgen and folks:

I thank you all for your comments, and I think I have some explanations to give.

I work at a Education Center as a partner of a Database software company. We have lots of students, and at each new week they come here to learn about our Partner's software. Well, it just happens that we do need to give them administrator rights, otherwise they will not be able to do practice labs. It is a requirement from our Partner's software, and today all our students already have administrator rights on their machines. Specifically, they must have the rights to install software (Advanced Users group has it, I know) and to create, modify and remove Services - which, as far as I know, only users with Administrative rights can do.

Unfortunatelly, since they have these rights, obviously they keep messing around with our Windows installations.

I am trying to establish some policies - using Policy Groups at Active Directory server - in a way they still are going to be local administrators, but they will not be able to alter many Windows's properties, such as Network properties, Wallpaper image, hostname, and so on. More than that, they will have to logon at Domain, and this will run a centralized script with our courses' settings.

I don't mind if they are able to do all those remote accesses you've mentioned. Matter of fact, we do that today, and it even help us on our courses! We need to reformat and reinstall all software at each machine from time to time. It is part of our business rules.

I will read carefully those links you've pointed out.

Thanks!!
Danilo Gimenez
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8224648
I would highly recommend you buy Ghost Corporate Edition.  You can re-imag all the machines in one classroom in 10-30 minutes depending on image size and processor speeds.  There is now way with them being admins to lock these items down, as an admin they can disable all policies very easily.
0
 

Author Comment

by:dgimenez
ID: 8250563
Jorgen:

I've read all documents you've suggested, and some links from them. I really appretiate your help. Thanks.

Danilo
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8253057
Jorgen.. you finally got someone to accept that as an answer to their problem.  :)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8253692
MSGEEK... Maybe I can keep my parachute now ;O)
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question