Local Admin: Allow local installation w/o full network access

I'm a Win2000 newbie.

We have a Win2000 server and Win2000 clients.

I need to give a user local right, so he can install software directly on the client.
At the same time I do not want to give him full access (admin) to the network.

To my knowledge this has to be done with a "local admin".
How do I "promote" a user to be local admin on all client machines?

(GPO seem to be in place, but I don't know exactly how to implement a startup-script and check if it  is really running)

Who is Participating?
DenverDanConnect With a Mentor Commented:
Another thought - it's a little late now, but just as a general best practice, create a global group in Active Directory called Local Admins.  When you set up your new PC's, include that group in the administrators group.  Then when Joe in engineering needs to install the latest AutoDesk upgrade on a bunch of PC's, put him in the group.  He can then log in and do the upgrade.  When he is finished, take him out of the group.
Login to the user's machine with as the domain administrator.
Right click my computer
Pick manage
Click Local Users and Groups
Click Groups
Double-Click on Administrators
Click ADD
Type in the user's account name.

The user can now install software on his pc.
olioAuthor Commented:

Can this process be automated (20 machines)?
With a script or a GPO?

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

You can add the next command to the logon script :

You need to use this once or a few more times.
I then suggest to create a .bat file you can run remotely.
Download the Pstools ftom http://www.sysinternals.com.
Use the psexec.exe command like this :
psexec \\Computer -u Domain\User -P Password "net" localgroup "Power Users" Username /ADD
Power Users group rights are enough to install a software locally.
Psexec can be used manually or by .bat file from your workstation and will apply the above command to the user's PC mentionned in the command line for the user mentionned.
olioAuthor Commented:
I'm not sure I understand thie psexec.

Do I have to run this on each machine? Or can I run this on the server.
Which User and Password do I pass? (Admin or the user that should do the local install)
What does it mean "run it once or a few times"?
Where do I save the batch file?
How do I assign a logon script? (Is this for a user or for a machine)?
Does this script run each time the machine starts?

Thanks and sorry but I'm a newbie
LongbowConnect With a Mentor Commented:
You can use it from the server or better from your own computer.
It will install a service on each machine on wich it runs but leaves the service in a manual state.

Use the command in a dos box. Replace Computer(Remote PC wher the account must have the Admin rights), Domain& User&, Password(Your Account), Username(Remote wich needs the rights to install) by the right values.

psexec \\Computer_wich_needs_the_rights -u Domain\User -P Password "net" localgroup "Power Users" Username_wich_needs_the_rights /ADD

Run the command in a dos box, in the folder where you extract psexec or drag and drop psexec.exe to a dos box.

When it is done for each user they need to log off and log back on.

Forget the logon script and the batch files.
Try using the above psexec commandline first and check if it is successfull on the first computer.

Good luck
olioAuthor Commented:
Can this be used to sync the time. Since a time difference prevents the command to work.
Can this be used to assign a default printer for all users?
Can this be used to delete an old printer from the list of available users?
(More points available if necessary
DenverDanConnect With a Mentor Commented:
We are currenty working on making all of our users non local admins in an effort to stop some of this Spyware from being installed and other security reasons.  We have found the most problems can be fixed by granting access to selected folders in the file system and selected registry keys.
Also, to the above responce, you can open Computer Management on your PC, right click on 'Computer Management(Local)' and click 'Connect to another computer...'.  Here you can type the name or IP address of the pc and connect to it(provided the person you are logged in as has admin access to that PC(the other alternative to that would be to RunAs Computer Management as an administrator of that PC)).  Then you can add people to the administrators group from your desk.  I have to do this for all of our sites around the USA.

« « Jason P Cramsey - Gardner Denver - Corporate Helpdesk » »
I use it to execute any command line tools or just a command prompt to work locally on a computer.
Sometimes you need the Psservice command to disable an antivirus wich can find Psexec is a virus : Psservice \\Computername stop mcshield
This is to stop for example the McAfee Antivirus.
Psservice \\Computername start mcshield
 restarts it.

You can run also vbscripts with Psexec.
In this case use cscript (wscript /?)

You can run windows software remotely but you can't use it.

Use psexec with the -i option if you need the result appears on the remote computer.

I think you can use rundll32 command to install printers.
This is for another question ;-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.