Solved

Need to change rights from user to admin on local machines

Posted on 2003-11-13
10
224 Views
Last Modified: 2010-04-14
When a user logs into their machine I want them to have Admin rights on their computer and limited rights to the server.  Example, when Bob logs in he can add applications to his computer, but when he goes to the server he cannot add applications there.  
This is set up on a new Win 2003 server.
Thanks
0
Comment
Question by:jed2547
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9741506
Add him to Administrators Group on his machine enough
0
 
LVL 1

Accepted Solution

by:
DustinR1 earned 125 total points
ID: 9741658
Add the user to the local admin group.
    Control Panel > Users and Passwords

Lock down the server using NTFS Security Permissions on folders.
    Right click on the folder share and click on the security tab and change the setting there.
0
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9742242
I'm Just curious as to why these users need elevated rights. These days it is nuts to have users at this level with the amount of viruses, trojans, spyware and other nonsense. I found the adding users to the local power users group is more than enough.

Perhaps also you could take a look at this. It's microsoft's "Threats and Coutermeasures Guide for Windows 2003/XP". It encompases all of the things you can do to lock your network down using group policy and some other methods. It is very informative.

http://www.microsoft.com/downloads/details.aspx?familyid=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 6

Expert Comment

by:Casca1
ID: 9745372
While I agree with Chris, and would suggest following that advice, there is a good alternative solution.
Create (at least) three groups in AD.
1) PCAdmins
2) PCUsers
3) Normal users
Add the PCAdmins group to each machines local administrator acct. Depending on how many machines we are talking about, you might be better off doing this through the restricted groups in a GPO.
Add the PCUsers to the local users group on each machine. Once again, you might need a GPO.
Add the Domain users to the normal users group.
The reason I recommend the third group is in a large AD environment, it's possible, and even in many cases desirable, to create OU's, move the users from the Users OU into the respective OU's, and you may want to segregate from the entire Domain users security group for various resons, among those being some members being permanent members of Local admins groups and the possibility of the delegation of control passed down to and through the Domain users group.

By having the seperate third group everyone is a member of, you can move the member group from one group to another, thus giving rights and taking away with a single click, versus needing to add entire lists of people, or having to go to each PC individually.
Of course, there is no real need to create the third group, but I did want to include the option, just in case.
Hope this helps.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9745377
Add the Domain users to the normal users group.
To clarify, I do not mean the group, I mean the individual accounts.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 9774297
The reason he/she wants his/her users to have admin rights to the local machine is that probably 50% of third party programs simply weren't written well and will only work on windows 2000 if the user is in the admin group of the local machine regardless of what their AD rights are.  I have talked with tons of my vendors that tell me the only way their software will work is if a "user" is in the local admin group.  Sucks but thats just the way it is.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9774639
You know, there is a way to go about elevating rights. Enable auditing (All) on a test machine, and then login and attempt to use individual programs. Then check your audit logs for success and failures on access and privilege use. Then customize the access as needed, create a local group with the appropriate access, and add the Domain Users group to the group you create. It's a lot of work, but depending on your environment, it would allow tighter security.
 
While I know there are many apps that run in that mode, I also know there are ways around it. My last job was at a bank, and they had an app that was Java based. Some of the controls weireded out unless in privilege mode. It took talking with the designers and experimentation to get that one straight.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
We need a new way to communicate time sensitive or critical info.   The best part of my role at xMatters is visiting our clients all over the world to learn about how they operate their businesses, share insights that xMatters has gleaned across…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now