Solved

Giving domain users local admin rights over their machines

Posted on 2004-10-14
9
163 Views
Last Modified: 2010-04-13
Can someone tell me how to give domain users (2000 domain) local administrator rights over there machines.
The problem is I'm using Symantec Client Security and a windows 2000 domain user does not have local administrative rights over the machine and it's very restrictive and won't allow her to use or limits her access to a lot of programs.

I created a group policy but  I added everyone to the wrong administrators group and they had as much  power as my domain administrator (which was very scary for a minute).

So specifically how do i give the domain users administraive rights for the local machine.

Please be very specific.


SJ
0
Comment
Question by:AccessMaster
  • 5
  • 4
9 Comments
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12311357
Hi
Try:
net localgroup Administrators /add "YOURDOMAIN\Domain Users"
Although I'd maybe use a security group on the domain, add the users you want and then add that group instead.

Deb :))
0
 

Author Comment

by:AccessMaster
ID: 12312187
O.K. Deb,

I'm trying to follow you. Where exactly is the locagroup administrators.
I've looked in Active Directory and I don't see such a group.
Do I need to create it? And if so how?



SJ
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 70 total points
ID: 12312271
Sorry - I should have been more specific. You should be able to just run this from a command prompt or even assign it to start-up script maybe.

Login with admin account on the pc -click - Start - run - type in cmd, click ok to bring up a command prompt. Type   cd\    hit enter to get to C:\ prompt (you may not need to do this but it won't hurt)

Then type

net local group Administrators /add YOURDOMAIN\nameof securitygroup

thin hit enter. You can check the addition by start-run - type in lusrmgr.msc, go to groups, Administrators, double-click or right click properties and check the membership. I suggested using a security group as you can easily remove selected domain users from this group in AD, rather than have to visit each pc,

Hope that helps, but please post back if you need any further info,

Deb :))
0
 

Author Comment

by:AccessMaster
ID: 12312367
O.K Great I think I understand.

Just to reiterate,

I need to create a security group in active directory - which will contain all of the domain users.
Then I need to visit each PC and type: net local group Administrators /add YOURDOMAIN\nameof securitygroup at the C:/ prompt

And that's it.

Let me tell you something that was strange that happened when I tried to manually add a domain user to the local administrative group on a PC. After she shut down for the day, when she came back in the morning and turned on the machine she lost all of the mapped network drives and she couldn't even open any apps (because she no longer had admin rights),
I used the admin account to add her domain user account to the local admin group. I'm still puzzeled as to why it did that.
I'm hoping this will solve this reverting back. Or do you think it may be another problem.

SJ

SJ
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12312468
This could be applied to a computer start-up script I beleive to save you visiting each pc, but I'm not sure that's your problem.

Could be another problem actually - once added to a local user group such as administrators, a domain account should really stay there! Maybe there's a network or domain problem going on. First port of call for me (Probably because it's the easiest and quickest!) is to check out the event logs on both server and client - all of them, and note any errors. These are in event viewer - administrative tools - control panel (sorry- just don't know how much you already know so being safe!)

""I need to create a security group in active directory - which will contain all of the domain users."" - You don't need to, but it's easier to administer, so yes, do that,
and the rest - yes that's right (how many users have you got?). Maybe post your event logs first and we'll take it from there, but try it if you want to to see how it works,


Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12312477
Sorry that's localgroup (not local group)
0
 

Author Comment

by:AccessMaster
ID: 12313065
I've got 100 users over 3 buildings so I'm definitely going to use the security group.

It's just one machine the reverting back is happening on. I think I might just wipe it.
I'll try this tonight or either early tomorrow before everyone gets in - I'm PRAYING that this works.
I've been battling with this for three weeks now.

What type of scripting language should I use or can you point to an article? Where is this script stored on the server or on the machines. Can I dump the script in a login.bat file.

Any help you can give would be great, I know I'm pushing it for just 70 points.

SJ
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12313135
lol - yes you are! batch file will do it I think,

have a look at group policy - you'll need start-up scripts rather than logon scripts as logon scripts run under the permissions of the user account logging on. Save the command in a file, give it a .bat extension, apply it to a start-up script in an OU, make sure pc's within the OU have read and apply group policy permissions on the GPO and off you go, (Have a google for 2000 domain startup scripts) or you can post a 500 pointer and get stacks of help (and not just from me)!

Deb ;-)

0
 

Author Comment

by:AccessMaster
ID: 12555229
Thanks for your help Debsyl99
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now