Solved

Active Directory. 2003 Server,XP Clients, Can you add Domain users to Clients Local admins group.

Posted on 2004-09-23
6
231 Views
Last Modified: 2010-08-05
Yeh I know its a crazy mad back to front question and why on earth would you do it as it defeats the object of having the domain users in the domain users group.

The company I have just started work for, have an ancient 16bit application a little bit like CAD well it functions the same as CAD as it happens, its just no where near as good as CAD, and it only works correctly if,!!! (get this) you are a member of the PCs LOCAL ADMINS GROUP, its all red tape as they would love to buy a decent app but someone must be getting a big back hander to keep it, as they have to use this ancient 16bit app, dont ask!!!.
They are moving over from a peer to peer shortly to a full blown 2003 domain with XP clients.
Im trying to figure out how to allow these engineers who use this program to be able to use roaming profiles so as to allow them to roam obviously but also to use this ancient annoying app.

Im not even sure if I can add DOMAIN USERS to the PCs LOCAL ADMINS GROUP and if I can not to sure how, as Ive had a look but cant see how. Also the security implications could be mind blowing (normal domain users in a Local admins group).

If this is'nt possible maybe group Policies might get round it.
IF not we may simply have to designate certain PCs to be only used for this APP, which will not be a popular decision.

If anyone has any alternate suggestions I would appreciate it.
Also is it actually possible to add Domain Users to the PCs local admins group and if so how.


0
Comment
Question by:rpartington
  • 2
  • 2
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 65 total points
ID: 12138225
Possible reasons for the app to need admin rights are that it tries to either write to a registry branch or file which normal users don't have rights to write.
What I would do is to use some monitor software to find out where this software writes its' stuff.
These I use myself:
Process Explorer and Regmon from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml

About adding Users to local admins group see:
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

hope this helps
0
 
LVL 9

Author Comment

by:rpartington
ID: 12150857
Thanks for the quick response.
With ref to
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

I have tried every variation under the sun, apart from obviously the correct one because I cannot get this to work.
I cant understand how from a domain you can give domain users local admin rights if you cannot actually pick up the local admin group from the domain or the local power users and assign the rights to the restricted.
As I say I have tried countless variations to get the advice in the above link to work none of which are working for me.
Im obviously going wrong some where but I cant see where using the following policy you can actually pickup the local admins group etc.
MACHINE Config
Windows Settings\Security Settings\Restricted Groups

Time for a cup of tea and come back to it later I think.
0
 
LVL 10

Expert Comment

by:jhautani
ID: 12151079
When you add a group in restricted groups do not browse for it, instead just write Administrators and click ok. Then when it asks for members of this group add administrator (meaning computer's local administrator account, again do not browse for this account) and appropriate domain user group (like domain users)

hope this helps
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 16

Expert Comment

by:JamesDS
ID: 12154276
rpartington
You can add Domain Users to the local administrators group. There are 2 ways of doing it.

The first is to use Group Policy to run a STARTUP script on each machine (not a logon script). In the startup script you use the command "NET LOCALGROUP ADMINISTRATORS domainame\DOMAIN USERS /ADD"

The second is to use restricted groups.
This is a machine policy, so it must be applied to the OU or domain containing all your machine accounts.
From the domain controller is easiest, open the GPO editing tool and select or create a your GPO. For my example I created an OU called Machines and out all my machine accounts in it. Then I created a new GPO called local admins, which was created and linked on the new OU.

Navigate to the Restricted Groups object within the GPO
Then create a new Restricted groups policy:
Add Group "Administrators" - this is the name of the local group you wish to restrict.
In the Members of the group dialog click add and browse to the Domain Users group.
Select OK and OK and your done.

Test it by rebooting a machine a couple of times to make sure that the policy is dowloaded and applied and check your settings.

Cheers

JamesDS
0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 60 total points
ID: 12154279
rpartington
More info on the script method:
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21141986.html#12152243


Cheers

JamesDS
0
 
LVL 9

Author Comment

by:rpartington
ID: 12155189
Thanks for the help jhautani and James,
I had to split the points as jhautani was obviously spot on correct, its just that for some weird odd reason it only works for me with the startup script, I can see that jhautani was correct by all the other info Ive since found relating to the restricted groups policy which I never knew previously.
Only thing though, is Ive spent hours on this due to getting totally side tracked following all these interesting links and I totally forgot what I was here for and went off reading other links.
Anyway thanks very much lads as I have now got a great idea of where to go with this issue now from here, and also as a bonus Ive now found some good reading on the way too.

Thanks very much and take care.

Roy
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now