Solved

Granting local rights to a domain user

Posted on 2004-04-28
3
657 Views
Last Modified: 2010-04-13
Hello, folks,

I'm in the planning stages of a small peer-to-peer network moving to a domain, which will be running Win2k Server.  The company wants to maintain the users' ability to manage their own workstations.  I don't want everyone to have admin access on the domain.  How do you grant a normal domain user full access to their own machine, but restricted access to the server and the other machines on the network?

Thanks for the reply.

Charlie T.
0
Comment
Question by:charlietou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
averyb earned 195 total points
ID: 10943828
What OS are the client machines?

You'll be creating new domain accounts for each user.

Just add each person's domain account to the Local Power Users Group on each workstation.  

You can use Computer Management to do this once all of the computers have been added to the domain and all of the user accounts have been created.  Simply right-click the computer in question in AD Users and Computers and select manage.  Expand Local Users and Groups | Open Groups | Double-click Power users Group | Click Add | select the appropriate users domain account.

Power Users can do more things than the regular users.  Thye can install apps, manage printers, change the time, and such.  They won't be able to make some high-level networking changes though.  Chances are this will work for the large majority of users.

You might be tempted to put the Domain usre accounts in the Local Administrators group on each machine.  I wouldn't.  It is much better to leverage the "Run As" command.  The benefit is that the user is just a regular user most of the time and only needs admin level rights some of the time.  Imagine what could happen if a user logged in as Administrator were to open an email with a trojan.  The trojan would run in the user context (i.e. as an Administrator).  The damage done would be much less if the user context were just a regular user account.

MS Knowledge Base Article 220535 has information on using the Run As command.  In most cases, it is a one time setup.

I would also suggest you rename the Default Administrator Account on each machine and create another Admin level account on each machine.  A small effort on the front-end to avoid a huge headache down the road.
0
 
LVL 4

Expert Comment

by:averyb
ID: 10943831
I forgot to add that the domain user accounts don't have any access to servers or any machine other than their own.

You would have to explicitly add their domain user account to the appropriate group for that to happen.
0
 
LVL 3

Author Comment

by:charlietou
ID: 10943874
Most clients are Win2K or WinXP.  A few are Win98 (to be upgraded shortly).

I'm pushing for them to upgrade to Win2K for all the Win98 machines, but they'll probably be around for the initial domain setup.  And I know that Win98 has no security per se anyway, so those users shouldn't be inconvenienced in any way.

Thanks for the quick reply.


Charlie T.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question