Solved

Need to change rights from user to admin on local machines

Posted on 2003-11-13
10
223 Views
Last Modified: 2010-04-14
When a user logs into their machine I want them to have Admin rights on their computer and limited rights to the server.  Example, when Bob logs in he can add applications to his computer, but when he goes to the server he cannot add applications there.  
This is set up on a new Win 2003 server.
Thanks
0
Comment
Question by:jed2547
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9741506
Add him to Administrators Group on his machine enough
0
 
LVL 1

Accepted Solution

by:
DustinR1 earned 125 total points
ID: 9741658
Add the user to the local admin group.
    Control Panel > Users and Passwords

Lock down the server using NTFS Security Permissions on folders.
    Right click on the folder share and click on the security tab and change the setting there.
0
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9742242
I'm Just curious as to why these users need elevated rights. These days it is nuts to have users at this level with the amount of viruses, trojans, spyware and other nonsense. I found the adding users to the local power users group is more than enough.

Perhaps also you could take a look at this. It's microsoft's "Threats and Coutermeasures Guide for Windows 2003/XP". It encompases all of the things you can do to lock your network down using group policy and some other methods. It is very informative.

http://www.microsoft.com/downloads/details.aspx?familyid=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 6

Expert Comment

by:Casca1
ID: 9745372
While I agree with Chris, and would suggest following that advice, there is a good alternative solution.
Create (at least) three groups in AD.
1) PCAdmins
2) PCUsers
3) Normal users
Add the PCAdmins group to each machines local administrator acct. Depending on how many machines we are talking about, you might be better off doing this through the restricted groups in a GPO.
Add the PCUsers to the local users group on each machine. Once again, you might need a GPO.
Add the Domain users to the normal users group.
The reason I recommend the third group is in a large AD environment, it's possible, and even in many cases desirable, to create OU's, move the users from the Users OU into the respective OU's, and you may want to segregate from the entire Domain users security group for various resons, among those being some members being permanent members of Local admins groups and the possibility of the delegation of control passed down to and through the Domain users group.

By having the seperate third group everyone is a member of, you can move the member group from one group to another, thus giving rights and taking away with a single click, versus needing to add entire lists of people, or having to go to each PC individually.
Of course, there is no real need to create the third group, but I did want to include the option, just in case.
Hope this helps.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9745377
Add the Domain users to the normal users group.
To clarify, I do not mean the group, I mean the individual accounts.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 9774297
The reason he/she wants his/her users to have admin rights to the local machine is that probably 50% of third party programs simply weren't written well and will only work on windows 2000 if the user is in the admin group of the local machine regardless of what their AD rights are.  I have talked with tons of my vendors that tell me the only way their software will work is if a "user" is in the local admin group.  Sucks but thats just the way it is.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9774639
You know, there is a way to go about elevating rights. Enable auditing (All) on a test machine, and then login and attempt to use individual programs. Then check your audit logs for success and failures on access and privilege use. Then customize the access as needed, create a local group with the appropriate access, and add the Domain Users group to the group you create. It's a lot of work, but depending on your environment, it would allow tighter security.
 
While I know there are many apps that run in that mode, I also know there are ways around it. My last job was at a bank, and they had an app that was Java based. Some of the controls weireded out unless in privilege mode. It took talking with the designers and experimentation to get that one straight.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now