Local Admin: Allow local installation w/o full network access

Posted on 2005-04-18
Last Modified: 2010-04-14
I'm a Win2000 newbie.

We have a Win2000 server and Win2000 clients.

I need to give a user local right, so he can install software directly on the client.
At the same time I do not want to give him full access (admin) to the network.

To my knowledge this has to be done with a "local admin".
How do I "promote" a user to be local admin on all client machines?

(GPO seem to be in place, but I don't know exactly how to implement a startup-script and check if it  is really running)

Question by:olio
    LVL 15

    Expert Comment

    Login to the user's machine with as the domain administrator.
    Right click my computer
    Pick manage
    Click Local Users and Groups
    Click Groups
    Double-Click on Administrators
    Click ADD
    Type in the user's account name.

    The user can now install software on his pc.
    LVL 1

    Author Comment


    Can this process be automated (20 machines)?
    With a script or a GPO?

    LVL 10

    Expert Comment

    You can add the next command to the logon script :

    You need to use this once or a few more times.
    I then suggest to create a .bat file you can run remotely.
    Download the Pstools ftom
    Use the psexec.exe command like this :
    psexec \\Computer -u Domain\User -P Password "net" localgroup "Power Users" Username /ADD
    LVL 10

    Expert Comment

    Power Users group rights are enough to install a software locally.
    Psexec can be used manually or by .bat file from your workstation and will apply the above command to the user's PC mentionned in the command line for the user mentionned.
    LVL 1

    Author Comment

    I'm not sure I understand thie psexec.

    Do I have to run this on each machine? Or can I run this on the server.
    Which User and Password do I pass? (Admin or the user that should do the local install)
    What does it mean "run it once or a few times"?
    Where do I save the batch file?
    How do I assign a logon script? (Is this for a user or for a machine)?
    Does this script run each time the machine starts?

    Thanks and sorry but I'm a newbie
    LVL 10

    Assisted Solution

    You can use it from the server or better from your own computer.
    It will install a service on each machine on wich it runs but leaves the service in a manual state.

    Use the command in a dos box. Replace Computer(Remote PC wher the account must have the Admin rights), Domain& User&, Password(Your Account), Username(Remote wich needs the rights to install) by the right values.

    psexec \\Computer_wich_needs_the_rights -u Domain\User -P Password "net" localgroup "Power Users" Username_wich_needs_the_rights /ADD

    Run the command in a dos box, in the folder where you extract psexec or drag and drop psexec.exe to a dos box.

    When it is done for each user they need to log off and log back on.

    Forget the logon script and the batch files.
    Try using the above psexec commandline first and check if it is successfull on the first computer.

    Good luck
    LVL 1

    Author Comment

    Great. THANKS
    Can this be used to sync the time. Since a time difference prevents the command to work.
    Can this be used to assign a default printer for all users?
    Can this be used to delete an old printer from the list of available users?
    (More points available if necessary
    LVL 1

    Assisted Solution

    We are currenty working on making all of our users non local admins in an effort to stop some of this Spyware from being installed and other security reasons.  We have found the most problems can be fixed by granting access to selected folders in the file system and selected registry keys.
    Also, to the above responce, you can open Computer Management on your PC, right click on 'Computer Management(Local)' and click 'Connect to another computer...'.  Here you can type the name or IP address of the pc and connect to it(provided the person you are logged in as has admin access to that PC(the other alternative to that would be to RunAs Computer Management as an administrator of that PC)).  Then you can add people to the administrators group from your desk.  I have to do this for all of our sites around the USA.

    « « Jason P Cramsey - Gardner Denver - Corporate Helpdesk » »
    LVL 10

    Expert Comment

    I use it to execute any command line tools or just a command prompt to work locally on a computer.
    Sometimes you need the Psservice command to disable an antivirus wich can find Psexec is a virus : Psservice \\Computername stop mcshield
    This is to stop for example the McAfee Antivirus.
    Psservice \\Computername start mcshield
     restarts it.

    You can run also vbscripts with Psexec.
    In this case use cscript (wscript /?)

    You can run windows software remotely but you can't use it.

    Use psexec with the -i option if you need the result appears on the remote computer.

    I think you can use rundll32 command to install printers.
    This is for another question ;-)
    LVL 1

    Accepted Solution

    Another thought - it's a little late now, but just as a general best practice, create a global group in Active Directory called Local Admins.  When you set up your new PC's, include that group in the administrators group.  Then when Joe in engineering needs to install the latest AutoDesk upgrade on a bunch of PC's, put him in the group.  He can then log in and do the upgrade.  When he is finished, take him out of the group.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Read about the 3 stages of the buyer's journey: awareness, consideration, and decision.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now