Bekster
asked on
Granting a Group local admin rights in Windows 2000
We have a number of Windows 2000 systems in a mixed mode environment. I would like everyone to have admin right to the local machines, but I have to add each user to each machine. When I add a new user to a machine the domain only lists users, not groups. Can't I add Domain Users Group and give them local admin rights?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lee W, MVP
You do understand this is a tremendous security risk, if any user does something stupid or by accident and gets a virus or other nasty program, it could easily propogate to the entire network like this.
Hi
You're really brave adding all users to the local admins group -
However here's what I do on the odd occasion it's necessary which you might consider. Create a security group in active directory users and computers, make it a member of domain users and add all the users you want to it.
Then either run this from a batch script on the pc, or save it as a batch file and run it as a start-up script via group policy to save you the hassle,
Where domain is your ad domain name, and secuirtygroup is the name of your security group.
NET localgroup Administrators /add "domain\SecurityGroup"
AT least this way, if something goes wrong and you need to remove someone's local admin rights, you can do so easily by just removing tham from that group. A lot easier than trying to remove them from the domain users group!
Deb :))
You're really brave adding all users to the local admins group -
However here's what I do on the odd occasion it's necessary which you might consider. Create a security group in active directory users and computers, make it a member of domain users and add all the users you want to it.
Then either run this from a batch script on the pc, or save it as a batch file and run it as a start-up script via group policy to save you the hassle,
Where domain is your ad domain name, and secuirtygroup is the name of your security group.
NET localgroup Administrators /add "domain\SecurityGroup"
AT least this way, if something goes wrong and you need to remove someone's local admin rights, you can do so easily by just removing tham from that group. A lot easier than trying to remove them from the domain users group!
Deb :))
ASKER
I don't understand, i want them to have local admin rights, the machine only because some legacy apps neeed access to the registry etc. How would this have any effect on their network access? they still wouldnt be able to get at any servers or other machines remotely etc
If you put domain users into the local admins group, then if person A gets a virus, the virus tries to spread to all systems. Your servers are relatively safe, but all your workstations allow admin access so the virus easily penetrates other systems. Not all viruses do this, but some can. When you limit the user to running the system as a regular or power user, they don't have rights to install software that might contain viruses/trojans/etc.
There may be other options. The software that requires rights to the registry may work if the users are power users but not admins. You might also be able to adjust the registry permissions so that users can write to that specific area of the registry.
As a last resort, you could also create local admin accounts and instruct the users to "runas" the admin account when they run the application that needs registry access (more of a pain, but do you want to go around to all your machines and clean them when the next new virus hits because it spread so fast)
There may be other options. The software that requires rights to the registry may work if the users are power users but not admins. You might also be able to adjust the registry permissions so that users can write to that specific area of the registry.
As a last resort, you could also create local admin accounts and instruct the users to "runas" the admin account when they run the application that needs registry access (more of a pain, but do you want to go around to all your machines and clean them when the next new virus hits because it spread so fast)
ASKER
I see your point, i may try power users and see the difference, but even office2000 doesn't run as smoothly if the user isn't a local administrator