?
Solved

Active Directory. 2003 Server,XP Clients, Can you add Domain users to Clients Local admins group.

Posted on 2004-09-23
6
Medium Priority
?
240 Views
Last Modified: 2010-08-05
Yeh I know its a crazy mad back to front question and why on earth would you do it as it defeats the object of having the domain users in the domain users group.

The company I have just started work for, have an ancient 16bit application a little bit like CAD well it functions the same as CAD as it happens, its just no where near as good as CAD, and it only works correctly if,!!! (get this) you are a member of the PCs LOCAL ADMINS GROUP, its all red tape as they would love to buy a decent app but someone must be getting a big back hander to keep it, as they have to use this ancient 16bit app, dont ask!!!.
They are moving over from a peer to peer shortly to a full blown 2003 domain with XP clients.
Im trying to figure out how to allow these engineers who use this program to be able to use roaming profiles so as to allow them to roam obviously but also to use this ancient annoying app.

Im not even sure if I can add DOMAIN USERS to the PCs LOCAL ADMINS GROUP and if I can not to sure how, as Ive had a look but cant see how. Also the security implications could be mind blowing (normal domain users in a Local admins group).

If this is'nt possible maybe group Policies might get round it.
IF not we may simply have to designate certain PCs to be only used for this APP, which will not be a popular decision.

If anyone has any alternate suggestions I would appreciate it.
Also is it actually possible to add Domain Users to the PCs local admins group and if so how.


0
Comment
Question by:rpartington
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
jhautani earned 260 total points
ID: 12138225
Possible reasons for the app to need admin rights are that it tries to either write to a registry branch or file which normal users don't have rights to write.
What I would do is to use some monitor software to find out where this software writes its' stuff.
These I use myself:
Process Explorer and Regmon from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml

About adding Users to local admins group see:
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

hope this helps
0
 
LVL 9

Author Comment

by:rpartington
ID: 12150857
Thanks for the quick response.
With ref to
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21042915.html

I have tried every variation under the sun, apart from obviously the correct one because I cannot get this to work.
I cant understand how from a domain you can give domain users local admin rights if you cannot actually pick up the local admin group from the domain or the local power users and assign the rights to the restricted.
As I say I have tried countless variations to get the advice in the above link to work none of which are working for me.
Im obviously going wrong some where but I cant see where using the following policy you can actually pickup the local admins group etc.
MACHINE Config
Windows Settings\Security Settings\Restricted Groups

Time for a cup of tea and come back to it later I think.
0
 
LVL 10

Expert Comment

by:jhautani
ID: 12151079
When you add a group in restricted groups do not browse for it, instead just write Administrators and click ok. Then when it asks for members of this group add administrator (meaning computer's local administrator account, again do not browse for this account) and appropriate domain user group (like domain users)

hope this helps
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 16

Expert Comment

by:JamesDS
ID: 12154276
rpartington
You can add Domain Users to the local administrators group. There are 2 ways of doing it.

The first is to use Group Policy to run a STARTUP script on each machine (not a logon script). In the startup script you use the command "NET LOCALGROUP ADMINISTRATORS domainame\DOMAIN USERS /ADD"

The second is to use restricted groups.
This is a machine policy, so it must be applied to the OU or domain containing all your machine accounts.
From the domain controller is easiest, open the GPO editing tool and select or create a your GPO. For my example I created an OU called Machines and out all my machine accounts in it. Then I created a new GPO called local admins, which was created and linked on the new OU.

Navigate to the Restricted Groups object within the GPO
Then create a new Restricted groups policy:
Add Group "Administrators" - this is the name of the local group you wish to restrict.
In the Members of the group dialog click add and browse to the Domain Users group.
Select OK and OK and your done.

Test it by rebooting a machine a couple of times to make sure that the policy is dowloaded and applied and check your settings.

Cheers

JamesDS
0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 240 total points
ID: 12154279
rpartington
More info on the script method:
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21141986.html#12152243


Cheers

JamesDS
0
 
LVL 9

Author Comment

by:rpartington
ID: 12155189
Thanks for the help jhautani and James,
I had to split the points as jhautani was obviously spot on correct, its just that for some weird odd reason it only works for me with the startup script, I can see that jhautani was correct by all the other info Ive since found relating to the restricted groups policy which I never knew previously.
Only thing though, is Ive spent hours on this due to getting totally side tracked following all these interesting links and I totally forgot what I was here for and went off reading other links.
Anyway thanks very much lads as I have now got a great idea of where to go with this issue now from here, and also as a bonus Ive now found some good reading on the way too.

Thanks very much and take care.

Roy
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question