Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Granting local rights to a domain user

Posted on 2004-04-28
3
Medium Priority
?
668 Views
Last Modified: 2010-04-13
Hello, folks,

I'm in the planning stages of a small peer-to-peer network moving to a domain, which will be running Win2k Server.  The company wants to maintain the users' ability to manage their own workstations.  I don't want everyone to have admin access on the domain.  How do you grant a normal domain user full access to their own machine, but restricted access to the server and the other machines on the network?

Thanks for the reply.

Charlie T.
0
Comment
Question by:charlietou
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
averyb earned 780 total points
ID: 10943828
What OS are the client machines?

You'll be creating new domain accounts for each user.

Just add each person's domain account to the Local Power Users Group on each workstation.  

You can use Computer Management to do this once all of the computers have been added to the domain and all of the user accounts have been created.  Simply right-click the computer in question in AD Users and Computers and select manage.  Expand Local Users and Groups | Open Groups | Double-click Power users Group | Click Add | select the appropriate users domain account.

Power Users can do more things than the regular users.  Thye can install apps, manage printers, change the time, and such.  They won't be able to make some high-level networking changes though.  Chances are this will work for the large majority of users.

You might be tempted to put the Domain usre accounts in the Local Administrators group on each machine.  I wouldn't.  It is much better to leverage the "Run As" command.  The benefit is that the user is just a regular user most of the time and only needs admin level rights some of the time.  Imagine what could happen if a user logged in as Administrator were to open an email with a trojan.  The trojan would run in the user context (i.e. as an Administrator).  The damage done would be much less if the user context were just a regular user account.

MS Knowledge Base Article 220535 has information on using the Run As command.  In most cases, it is a one time setup.

I would also suggest you rename the Default Administrator Account on each machine and create another Admin level account on each machine.  A small effort on the front-end to avoid a huge headache down the road.
0
 
LVL 4

Expert Comment

by:averyb
ID: 10943831
I forgot to add that the domain user accounts don't have any access to servers or any machine other than their own.

You would have to explicitly add their domain user account to the appropriate group for that to happen.
0
 
LVL 3

Author Comment

by:charlietou
ID: 10943874
Most clients are Win2K or WinXP.  A few are Win98 (to be upgraded shortly).

I'm pushing for them to upgrade to Win2K for all the Win98 machines, but they'll probably be around for the initial domain setup.  And I know that Win98 has no security per se anyway, so those users shouldn't be inconvenienced in any way.

Thanks for the quick reply.


Charlie T.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Today as you open your Outlook, you witness an error message: “Outlook is using an old copy of your Outlook Data File…”. Probably, Outlook is accessing an old OST file.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question