Solved

Active Directory. 2003 Server,XP Clients, Can you add Domain users to Clients Local admins group.

Posted on 2004-09-23
6
234 Views
Last Modified: 2010-08-05
Yeh I know its a crazy mad back to front question and why on earth would you do it as it defeats the object of having the domain users in the domain users group.

The company I have just started work for, have an ancient 16bit application a little bit like CAD well it functions the same as CAD as it happens, its just no where near as good as CAD, and it only works correctly if,!!! (get this) you are a member of the PCs LOCAL ADMINS GROUP, its all red tape as they would love to buy a decent app but someone must be getting a big back hander to keep it, as they have to use this ancient 16bit app, dont ask!!!.
They are moving over from a peer to peer shortly to a full blown 2003 domain with XP clients.
Im trying to figure out how to allow these engineers who use this program to be able to use roaming profiles so as to allow them to roam obviously but also to use this ancient annoying app.

Im not even sure if I can add DOMAIN USERS to the PCs LOCAL ADMINS GROUP and if I can not to sure how, as Ive had a look but cant see how. Also the security implications could be mind blowing (normal domain users in a Local admins group).

If this is'nt possible maybe group Policies might get round it.
IF not we may simply have to designate certain PCs to be only used for this APP, which will not be a popular decision.

If anyone has any alternate suggestions I would appreciate it.
Also is it actually possible to add Domain Users to the PCs local admins group and if so how.


0
Comment
Question by:rpartington
  • 2
  • 2
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 65 total points
ID: 12138225
Possible reasons for the app to need admin rights are that it tries to either write to a registry branch or file which normal users don't have rights to write.
What I would do is to use some monitor software to find out where this software writes its' stuff.
These I use myself:
Process Explorer and Regmon from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml

About adding Users to local admins group see:
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

hope this helps
0
 
LVL 9

Author Comment

by:rpartington
ID: 12150857
Thanks for the quick response.
With ref to
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

I have tried every variation under the sun, apart from obviously the correct one because I cannot get this to work.
I cant understand how from a domain you can give domain users local admin rights if you cannot actually pick up the local admin group from the domain or the local power users and assign the rights to the restricted.
As I say I have tried countless variations to get the advice in the above link to work none of which are working for me.
Im obviously going wrong some where but I cant see where using the following policy you can actually pickup the local admins group etc.
MACHINE Config
Windows Settings\Security Settings\Restricted Groups

Time for a cup of tea and come back to it later I think.
0
 
LVL 10

Expert Comment

by:jhautani
ID: 12151079
When you add a group in restricted groups do not browse for it, instead just write Administrators and click ok. Then when it asks for members of this group add administrator (meaning computer's local administrator account, again do not browse for this account) and appropriate domain user group (like domain users)

hope this helps
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 16

Expert Comment

by:JamesDS
ID: 12154276
rpartington
You can add Domain Users to the local administrators group. There are 2 ways of doing it.

The first is to use Group Policy to run a STARTUP script on each machine (not a logon script). In the startup script you use the command "NET LOCALGROUP ADMINISTRATORS domainame\DOMAIN USERS /ADD"

The second is to use restricted groups.
This is a machine policy, so it must be applied to the OU or domain containing all your machine accounts.
From the domain controller is easiest, open the GPO editing tool and select or create a your GPO. For my example I created an OU called Machines and out all my machine accounts in it. Then I created a new GPO called local admins, which was created and linked on the new OU.

Navigate to the Restricted Groups object within the GPO
Then create a new Restricted groups policy:
Add Group "Administrators" - this is the name of the local group you wish to restrict.
In the Members of the group dialog click add and browse to the Domain Users group.
Select OK and OK and your done.

Test it by rebooting a machine a couple of times to make sure that the policy is dowloaded and applied and check your settings.

Cheers

JamesDS
0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 60 total points
ID: 12154279
rpartington
More info on the script method:
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21141986.html#12152243


Cheers

JamesDS
0
 
LVL 9

Author Comment

by:rpartington
ID: 12155189
Thanks for the help jhautani and James,
I had to split the points as jhautani was obviously spot on correct, its just that for some weird odd reason it only works for me with the startup script, I can see that jhautani was correct by all the other info Ive since found relating to the restricted groups policy which I never knew previously.
Only thing though, is Ive spent hours on this due to getting totally side tracked following all these interesting links and I totally forgot what I was here for and went off reading other links.
Anyway thanks very much lads as I have now got a great idea of where to go with this issue now from here, and also as a bonus Ive now found some good reading on the way too.

Thanks very much and take care.

Roy
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question