Granting local rights to a domain user

Hello, folks,

I'm in the planning stages of a small peer-to-peer network moving to a domain, which will be running Win2k Server.  The company wants to maintain the users' ability to manage their own workstations.  I don't want everyone to have admin access on the domain.  How do you grant a normal domain user full access to their own machine, but restricted access to the server and the other machines on the network?

Thanks for the reply.

Charlie T.
LVL 3
charlietouAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
averybConnect With a Mentor Commented:
What OS are the client machines?

You'll be creating new domain accounts for each user.

Just add each person's domain account to the Local Power Users Group on each workstation.  

You can use Computer Management to do this once all of the computers have been added to the domain and all of the user accounts have been created.  Simply right-click the computer in question in AD Users and Computers and select manage.  Expand Local Users and Groups | Open Groups | Double-click Power users Group | Click Add | select the appropriate users domain account.

Power Users can do more things than the regular users.  Thye can install apps, manage printers, change the time, and such.  They won't be able to make some high-level networking changes though.  Chances are this will work for the large majority of users.

You might be tempted to put the Domain usre accounts in the Local Administrators group on each machine.  I wouldn't.  It is much better to leverage the "Run As" command.  The benefit is that the user is just a regular user most of the time and only needs admin level rights some of the time.  Imagine what could happen if a user logged in as Administrator were to open an email with a trojan.  The trojan would run in the user context (i.e. as an Administrator).  The damage done would be much less if the user context were just a regular user account.

MS Knowledge Base Article 220535 has information on using the Run As command.  In most cases, it is a one time setup.

I would also suggest you rename the Default Administrator Account on each machine and create another Admin level account on each machine.  A small effort on the front-end to avoid a huge headache down the road.
0
 
averybCommented:
I forgot to add that the domain user accounts don't have any access to servers or any machine other than their own.

You would have to explicitly add their domain user account to the appropriate group for that to happen.
0
 
charlietouAuthor Commented:
Most clients are Win2K or WinXP.  A few are Win98 (to be upgraded shortly).

I'm pushing for them to upgrade to Win2K for all the Win98 machines, but they'll probably be around for the initial domain setup.  And I know that Win98 has no security per se anyway, so those users shouldn't be inconvenienced in any way.

Thanks for the quick reply.


Charlie T.
0
All Courses

From novice to tech pro — start learning today.