?
Solved

Need to change rights from user to admin on local machines

Posted on 2003-11-13
10
Medium Priority
?
231 Views
Last Modified: 2010-04-14
When a user logs into their machine I want them to have Admin rights on their computer and limited rights to the server.  Example, when Bob logs in he can add applications to his computer, but when he goes to the server he cannot add applications there.  
This is set up on a new Win 2003 server.
Thanks
0
Comment
Question by:jed2547
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9741506
Add him to Administrators Group on his machine enough
0
 
LVL 1

Accepted Solution

by:
DustinR1 earned 500 total points
ID: 9741658
Add the user to the local admin group.
    Control Panel > Users and Passwords

Lock down the server using NTFS Security Permissions on folders.
    Right click on the folder share and click on the security tab and change the setting there.
0
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9742242
I'm Just curious as to why these users need elevated rights. These days it is nuts to have users at this level with the amount of viruses, trojans, spyware and other nonsense. I found the adding users to the local power users group is more than enough.

Perhaps also you could take a look at this. It's microsoft's "Threats and Coutermeasures Guide for Windows 2003/XP". It encompases all of the things you can do to lock your network down using group policy and some other methods. It is very informative.

http://www.microsoft.com/downloads/details.aspx?familyid=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 6

Expert Comment

by:Casca1
ID: 9745372
While I agree with Chris, and would suggest following that advice, there is a good alternative solution.
Create (at least) three groups in AD.
1) PCAdmins
2) PCUsers
3) Normal users
Add the PCAdmins group to each machines local administrator acct. Depending on how many machines we are talking about, you might be better off doing this through the restricted groups in a GPO.
Add the PCUsers to the local users group on each machine. Once again, you might need a GPO.
Add the Domain users to the normal users group.
The reason I recommend the third group is in a large AD environment, it's possible, and even in many cases desirable, to create OU's, move the users from the Users OU into the respective OU's, and you may want to segregate from the entire Domain users security group for various resons, among those being some members being permanent members of Local admins groups and the possibility of the delegation of control passed down to and through the Domain users group.

By having the seperate third group everyone is a member of, you can move the member group from one group to another, thus giving rights and taking away with a single click, versus needing to add entire lists of people, or having to go to each PC individually.
Of course, there is no real need to create the third group, but I did want to include the option, just in case.
Hope this helps.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9745377
Add the Domain users to the normal users group.
To clarify, I do not mean the group, I mean the individual accounts.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 9774297
The reason he/she wants his/her users to have admin rights to the local machine is that probably 50% of third party programs simply weren't written well and will only work on windows 2000 if the user is in the admin group of the local machine regardless of what their AD rights are.  I have talked with tons of my vendors that tell me the only way their software will work is if a "user" is in the local admin group.  Sucks but thats just the way it is.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9774639
You know, there is a way to go about elevating rights. Enable auditing (All) on a test machine, and then login and attempt to use individual programs. Then check your audit logs for success and failures on access and privilege use. Then customize the access as needed, create a local group with the appropriate access, and add the Domain Users group to the group you create. It's a lot of work, but depending on your environment, it would allow tighter security.
 
While I know there are many apps that run in that mode, I also know there are ways around it. My last job was at a bank, and they had an app that was Java based. Some of the controls weireded out unless in privilege mode. It took talking with the designers and experimentation to get that one straight.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question