Solved

Granting local rights to a domain user

Posted on 2004-04-28
3
643 Views
Last Modified: 2010-04-13
Hello, folks,

I'm in the planning stages of a small peer-to-peer network moving to a domain, which will be running Win2k Server.  The company wants to maintain the users' ability to manage their own workstations.  I don't want everyone to have admin access on the domain.  How do you grant a normal domain user full access to their own machine, but restricted access to the server and the other machines on the network?

Thanks for the reply.

Charlie T.
0
Comment
Question by:charlietou
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
averyb earned 195 total points
Comment Utility
What OS are the client machines?

You'll be creating new domain accounts for each user.

Just add each person's domain account to the Local Power Users Group on each workstation.  

You can use Computer Management to do this once all of the computers have been added to the domain and all of the user accounts have been created.  Simply right-click the computer in question in AD Users and Computers and select manage.  Expand Local Users and Groups | Open Groups | Double-click Power users Group | Click Add | select the appropriate users domain account.

Power Users can do more things than the regular users.  Thye can install apps, manage printers, change the time, and such.  They won't be able to make some high-level networking changes though.  Chances are this will work for the large majority of users.

You might be tempted to put the Domain usre accounts in the Local Administrators group on each machine.  I wouldn't.  It is much better to leverage the "Run As" command.  The benefit is that the user is just a regular user most of the time and only needs admin level rights some of the time.  Imagine what could happen if a user logged in as Administrator were to open an email with a trojan.  The trojan would run in the user context (i.e. as an Administrator).  The damage done would be much less if the user context were just a regular user account.

MS Knowledge Base Article 220535 has information on using the Run As command.  In most cases, it is a one time setup.

I would also suggest you rename the Default Administrator Account on each machine and create another Admin level account on each machine.  A small effort on the front-end to avoid a huge headache down the road.
0
 
LVL 4

Expert Comment

by:averyb
Comment Utility
I forgot to add that the domain user accounts don't have any access to servers or any machine other than their own.

You would have to explicitly add their domain user account to the appropriate group for that to happen.
0
 
LVL 3

Author Comment

by:charlietou
Comment Utility
Most clients are Win2K or WinXP.  A few are Win98 (to be upgraded shortly).

I'm pushing for them to upgrade to Win2K for all the Win98 machines, but they'll probably be around for the initial domain setup.  And I know that Win98 has no security per se anyway, so those users shouldn't be inconvenienced in any way.

Thanks for the quick reply.


Charlie T.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now