Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Domain User accounts with Local administrative rights - is that possible?

Posted on 2003-03-25
10
Medium Priority
?
192 Views
Last Modified: 2013-12-04
Hi.

We use Active Directory, and our desktops are Win2k Pro. We need to create domain accounts wich:

- are simple User accounts on domain
- have some administrator privileges on local machine

We do need this account to be able to create, start, stop and remove Services in local machines, but we cannot allow it to do the same on our Domain Servers.

Is that possible? If it is, how do I accomplish that??

Thanks in advance,
Danilo Gimenez
0
Comment
Question by:dgimenez
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8205586
Make domain users members of the local machines administrators group, however by doing this you are heavily compromising your networks secuirty, I am not just refering to what users will be able to do, but viruses & trojans.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8212160
ditto.
(despite risks, this is commonly done. I'm afraid)
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 300 total points
ID: 8217116
DQIMENEZ... As MSGEEK answered, please be carefull with members of the LOCAL admin group:


:o) PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 9

Expert Comment

by:MSGeek
ID: 8217159
Jorgen... I was waiting for that, Regards. MSGeek.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8220136
MSGEEK... Yes, and you remembered "heavily compromising your networks security"

:o) Regards
Jorgen Malmgren
0
 

Author Comment

by:dgimenez
ID: 8224427
Hi Jorgen and folks:

I thank you all for your comments, and I think I have some explanations to give.

I work at a Education Center as a partner of a Database software company. We have lots of students, and at each new week they come here to learn about our Partner's software. Well, it just happens that we do need to give them administrator rights, otherwise they will not be able to do practice labs. It is a requirement from our Partner's software, and today all our students already have administrator rights on their machines. Specifically, they must have the rights to install software (Advanced Users group has it, I know) and to create, modify and remove Services - which, as far as I know, only users with Administrative rights can do.

Unfortunatelly, since they have these rights, obviously they keep messing around with our Windows installations.

I am trying to establish some policies - using Policy Groups at Active Directory server - in a way they still are going to be local administrators, but they will not be able to alter many Windows's properties, such as Network properties, Wallpaper image, hostname, and so on. More than that, they will have to logon at Domain, and this will run a centralized script with our courses' settings.

I don't mind if they are able to do all those remote accesses you've mentioned. Matter of fact, we do that today, and it even help us on our courses! We need to reformat and reinstall all software at each machine from time to time. It is part of our business rules.

I will read carefully those links you've pointed out.

Thanks!!
Danilo Gimenez
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8224648
I would highly recommend you buy Ghost Corporate Edition.  You can re-imag all the machines in one classroom in 10-30 minutes depending on image size and processor speeds.  There is now way with them being admins to lock these items down, as an admin they can disable all policies very easily.
0
 

Author Comment

by:dgimenez
ID: 8250563
Jorgen:

I've read all documents you've suggested, and some links from them. I really appretiate your help. Thanks.

Danilo
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8253057
Jorgen.. you finally got someone to accept that as an answer to their problem.  :)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8253692
MSGEEK... Maybe I can keep my parachute now ;O)
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question