Solved

Granting local rights to a domain user

Posted on 2004-04-28
3
648 Views
Last Modified: 2010-04-13
Hello, folks,

I'm in the planning stages of a small peer-to-peer network moving to a domain, which will be running Win2k Server.  The company wants to maintain the users' ability to manage their own workstations.  I don't want everyone to have admin access on the domain.  How do you grant a normal domain user full access to their own machine, but restricted access to the server and the other machines on the network?

Thanks for the reply.

Charlie T.
0
Comment
Question by:charlietou
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
averyb earned 195 total points
ID: 10943828
What OS are the client machines?

You'll be creating new domain accounts for each user.

Just add each person's domain account to the Local Power Users Group on each workstation.  

You can use Computer Management to do this once all of the computers have been added to the domain and all of the user accounts have been created.  Simply right-click the computer in question in AD Users and Computers and select manage.  Expand Local Users and Groups | Open Groups | Double-click Power users Group | Click Add | select the appropriate users domain account.

Power Users can do more things than the regular users.  Thye can install apps, manage printers, change the time, and such.  They won't be able to make some high-level networking changes though.  Chances are this will work for the large majority of users.

You might be tempted to put the Domain usre accounts in the Local Administrators group on each machine.  I wouldn't.  It is much better to leverage the "Run As" command.  The benefit is that the user is just a regular user most of the time and only needs admin level rights some of the time.  Imagine what could happen if a user logged in as Administrator were to open an email with a trojan.  The trojan would run in the user context (i.e. as an Administrator).  The damage done would be much less if the user context were just a regular user account.

MS Knowledge Base Article 220535 has information on using the Run As command.  In most cases, it is a one time setup.

I would also suggest you rename the Default Administrator Account on each machine and create another Admin level account on each machine.  A small effort on the front-end to avoid a huge headache down the road.
0
 
LVL 4

Expert Comment

by:averyb
ID: 10943831
I forgot to add that the domain user accounts don't have any access to servers or any machine other than their own.

You would have to explicitly add their domain user account to the appropriate group for that to happen.
0
 
LVL 3

Author Comment

by:charlietou
ID: 10943874
Most clients are Win2K or WinXP.  A few are Win98 (to be upgraded shortly).

I'm pushing for them to upgrade to Win2K for all the Win98 machines, but they'll probably be around for the initial domain setup.  And I know that Win98 has no security per se anyway, so those users shouldn't be inconvenienced in any way.

Thanks for the quick reply.


Charlie T.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question