Need to change rights from user to admin on local machines

When a user logs into their machine I want them to have Admin rights on their computer and limited rights to the server.  Example, when Bob logs in he can add applications to his computer, but when he goes to the server he cannot add applications there.  
This is set up on a new Win 2003 server.
Thanks
jed2547Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nader alkahtaniNetwork EngineerCommented:
Add him to Administrators Group on his machine enough
0
DustinR1Commented:
Add the user to the local admin group.
    Control Panel > Users and Passwords

Lock down the server using NTFS Security Permissions on folders.
    Right click on the folder share and click on the security tab and change the setting there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris_PicciottoCommented:
I'm Just curious as to why these users need elevated rights. These days it is nuts to have users at this level with the amount of viruses, trojans, spyware and other nonsense. I found the adding users to the local power users group is more than enough.

Perhaps also you could take a look at this. It's microsoft's "Threats and Coutermeasures Guide for Windows 2003/XP". It encompases all of the things you can do to lock your network down using group policy and some other methods. It is very informative.

http://www.microsoft.com/downloads/details.aspx?familyid=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Casca1Commented:
While I agree with Chris, and would suggest following that advice, there is a good alternative solution.
Create (at least) three groups in AD.
1) PCAdmins
2) PCUsers
3) Normal users
Add the PCAdmins group to each machines local administrator acct. Depending on how many machines we are talking about, you might be better off doing this through the restricted groups in a GPO.
Add the PCUsers to the local users group on each machine. Once again, you might need a GPO.
Add the Domain users to the normal users group.
The reason I recommend the third group is in a large AD environment, it's possible, and even in many cases desirable, to create OU's, move the users from the Users OU into the respective OU's, and you may want to segregate from the entire Domain users security group for various resons, among those being some members being permanent members of Local admins groups and the possibility of the delegation of control passed down to and through the Domain users group.

By having the seperate third group everyone is a member of, you can move the member group from one group to another, thus giving rights and taking away with a single click, versus needing to add entire lists of people, or having to go to each PC individually.
Of course, there is no real need to create the third group, but I did want to include the option, just in case.
Hope this helps.
0
Casca1Commented:
Add the Domain users to the normal users group.
To clarify, I do not mean the group, I mean the individual accounts.
0
mikeleebrlaCommented:
The reason he/she wants his/her users to have admin rights to the local machine is that probably 50% of third party programs simply weren't written well and will only work on windows 2000 if the user is in the admin group of the local machine regardless of what their AD rights are.  I have talked with tons of my vendors that tell me the only way their software will work is if a "user" is in the local admin group.  Sucks but thats just the way it is.  
0
Casca1Commented:
You know, there is a way to go about elevating rights. Enable auditing (All) on a test machine, and then login and attempt to use individual programs. Then check your audit logs for success and failures on access and privilege use. Then customize the access as needed, create a local group with the appropriate access, and add the Domain Users group to the group you create. It's a lot of work, but depending on your environment, it would allow tighter security.
 
While I know there are many apps that run in that mode, I also know there are ways around it. My last job was at a bank, and they had an app that was Java based. Some of the controls weireded out unless in privilege mode. It took talking with the designers and experimentation to get that one straight.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.