Solved

Giving domain users local admin rights over their machines

Posted on 2004-10-14
9
169 Views
Last Modified: 2010-04-13
Can someone tell me how to give domain users (2000 domain) local administrator rights over there machines.
The problem is I'm using Symantec Client Security and a windows 2000 domain user does not have local administrative rights over the machine and it's very restrictive and won't allow her to use or limits her access to a lot of programs.

I created a group policy but  I added everyone to the wrong administrators group and they had as much  power as my domain administrator (which was very scary for a minute).

So specifically how do i give the domain users administraive rights for the local machine.

Please be very specific.


SJ
0
Comment
Question by:AccessMaster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12311357
Hi
Try:
net localgroup Administrators /add "YOURDOMAIN\Domain Users"
Although I'd maybe use a security group on the domain, add the users you want and then add that group instead.

Deb :))
0
 

Author Comment

by:AccessMaster
ID: 12312187
O.K. Deb,

I'm trying to follow you. Where exactly is the locagroup administrators.
I've looked in Active Directory and I don't see such a group.
Do I need to create it? And if so how?



SJ
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 70 total points
ID: 12312271
Sorry - I should have been more specific. You should be able to just run this from a command prompt or even assign it to start-up script maybe.

Login with admin account on the pc -click - Start - run - type in cmd, click ok to bring up a command prompt. Type   cd\    hit enter to get to C:\ prompt (you may not need to do this but it won't hurt)

Then type

net local group Administrators /add YOURDOMAIN\nameof securitygroup

thin hit enter. You can check the addition by start-run - type in lusrmgr.msc, go to groups, Administrators, double-click or right click properties and check the membership. I suggested using a security group as you can easily remove selected domain users from this group in AD, rather than have to visit each pc,

Hope that helps, but please post back if you need any further info,

Deb :))
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:AccessMaster
ID: 12312367
O.K Great I think I understand.

Just to reiterate,

I need to create a security group in active directory - which will contain all of the domain users.
Then I need to visit each PC and type: net local group Administrators /add YOURDOMAIN\nameof securitygroup at the C:/ prompt

And that's it.

Let me tell you something that was strange that happened when I tried to manually add a domain user to the local administrative group on a PC. After she shut down for the day, when she came back in the morning and turned on the machine she lost all of the mapped network drives and she couldn't even open any apps (because she no longer had admin rights),
I used the admin account to add her domain user account to the local admin group. I'm still puzzeled as to why it did that.
I'm hoping this will solve this reverting back. Or do you think it may be another problem.

SJ

SJ
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12312468
This could be applied to a computer start-up script I beleive to save you visiting each pc, but I'm not sure that's your problem.

Could be another problem actually - once added to a local user group such as administrators, a domain account should really stay there! Maybe there's a network or domain problem going on. First port of call for me (Probably because it's the easiest and quickest!) is to check out the event logs on both server and client - all of them, and note any errors. These are in event viewer - administrative tools - control panel (sorry- just don't know how much you already know so being safe!)

""I need to create a security group in active directory - which will contain all of the domain users."" - You don't need to, but it's easier to administer, so yes, do that,
and the rest - yes that's right (how many users have you got?). Maybe post your event logs first and we'll take it from there, but try it if you want to to see how it works,


Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12312477
Sorry that's localgroup (not local group)
0
 

Author Comment

by:AccessMaster
ID: 12313065
I've got 100 users over 3 buildings so I'm definitely going to use the security group.

It's just one machine the reverting back is happening on. I think I might just wipe it.
I'll try this tonight or either early tomorrow before everyone gets in - I'm PRAYING that this works.
I've been battling with this for three weeks now.

What type of scripting language should I use or can you point to an article? Where is this script stored on the server or on the machines. Can I dump the script in a login.bat file.

Any help you can give would be great, I know I'm pushing it for just 70 points.

SJ
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12313135
lol - yes you are! batch file will do it I think,

have a look at group policy - you'll need start-up scripts rather than logon scripts as logon scripts run under the permissions of the user account logging on. Save the command in a file, give it a .bat extension, apply it to a start-up script in an OU, make sure pc's within the OU have read and apply group policy permissions on the GPO and off you go, (Have a google for 2000 domain startup scripts) or you can post a 500 pointer and get stacks of help (and not just from me)!

Deb ;-)

0
 

Author Comment

by:AccessMaster
ID: 12555229
Thanks for your help Debsyl99
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question