?
Solved

Need to change rights from user to admin on local machines

Posted on 2003-11-13
10
Medium Priority
?
234 Views
Last Modified: 2010-04-14
When a user logs into their machine I want them to have Admin rights on their computer and limited rights to the server.  Example, when Bob logs in he can add applications to his computer, but when he goes to the server he cannot add applications there.  
This is set up on a new Win 2003 server.
Thanks
0
Comment
Question by:jed2547
7 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9741506
Add him to Administrators Group on his machine enough
0
 
LVL 1

Accepted Solution

by:
DustinR1 earned 500 total points
ID: 9741658
Add the user to the local admin group.
    Control Panel > Users and Passwords

Lock down the server using NTFS Security Permissions on folders.
    Right click on the folder share and click on the security tab and change the setting there.
0
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9742242
I'm Just curious as to why these users need elevated rights. These days it is nuts to have users at this level with the amount of viruses, trojans, spyware and other nonsense. I found the adding users to the local power users group is more than enough.

Perhaps also you could take a look at this. It's microsoft's "Threats and Coutermeasures Guide for Windows 2003/XP". It encompases all of the things you can do to lock your network down using group policy and some other methods. It is very informative.

http://www.microsoft.com/downloads/details.aspx?familyid=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
LVL 6

Expert Comment

by:Casca1
ID: 9745372
While I agree with Chris, and would suggest following that advice, there is a good alternative solution.
Create (at least) three groups in AD.
1) PCAdmins
2) PCUsers
3) Normal users
Add the PCAdmins group to each machines local administrator acct. Depending on how many machines we are talking about, you might be better off doing this through the restricted groups in a GPO.
Add the PCUsers to the local users group on each machine. Once again, you might need a GPO.
Add the Domain users to the normal users group.
The reason I recommend the third group is in a large AD environment, it's possible, and even in many cases desirable, to create OU's, move the users from the Users OU into the respective OU's, and you may want to segregate from the entire Domain users security group for various resons, among those being some members being permanent members of Local admins groups and the possibility of the delegation of control passed down to and through the Domain users group.

By having the seperate third group everyone is a member of, you can move the member group from one group to another, thus giving rights and taking away with a single click, versus needing to add entire lists of people, or having to go to each PC individually.
Of course, there is no real need to create the third group, but I did want to include the option, just in case.
Hope this helps.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9745377
Add the Domain users to the normal users group.
To clarify, I do not mean the group, I mean the individual accounts.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 9774297
The reason he/she wants his/her users to have admin rights to the local machine is that probably 50% of third party programs simply weren't written well and will only work on windows 2000 if the user is in the admin group of the local machine regardless of what their AD rights are.  I have talked with tons of my vendors that tell me the only way their software will work is if a "user" is in the local admin group.  Sucks but thats just the way it is.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9774639
You know, there is a way to go about elevating rights. Enable auditing (All) on a test machine, and then login and attempt to use individual programs. Then check your audit logs for success and failures on access and privilege use. Then customize the access as needed, create a local group with the appropriate access, and add the Domain Users group to the group you create. It's a lot of work, but depending on your environment, it would allow tighter security.
 
While I know there are many apps that run in that mode, I also know there are ways around it. My last job was at a bank, and they had an app that was Java based. Some of the controls weireded out unless in privilege mode. It took talking with the designers and experimentation to get that one straight.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month8 days, 17 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question