• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

Local Admin: Allow local installation w/o full network access

I'm a Win2000 newbie.

We have a Win2000 server and Win2000 clients.

I need to give a user local right, so he can install software directly on the client.
At the same time I do not want to give him full access (admin) to the network.

To my knowledge this has to be done with a "local admin".
How do I "promote" a user to be local admin on all client machines?

(GPO seem to be in place, but I don't know exactly how to implement a startup-script and check if it  is really running)

Thanks
0
olio
Asked:
olio
  • 4
  • 3
  • 2
  • +1
3 Solutions
 
ZabagaRCommented:
Login to the user's machine with as the domain administrator.
Right click my computer
Pick manage
Click Local Users and Groups
Click Groups
Double-Click on Administrators
Click ADD
Type in the user's account name.

The user can now install software on his pc.
0
 
olioAuthor Commented:
Thanks

Can this process be automated (20 machines)?
With a script or a GPO?

0
 
LongbowCommented:
You can add the next command to the logon script :

You need to use this once or a few more times.
I then suggest to create a .bat file you can run remotely.
Download the Pstools ftom http://www.sysinternals.com.
Use the psexec.exe command like this :
psexec \\Computer -u Domain\User -P Password "net" localgroup "Power Users" Username /ADD
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
LongbowCommented:
Power Users group rights are enough to install a software locally.
Psexec can be used manually or by .bat file from your workstation and will apply the above command to the user's PC mentionned in the command line for the user mentionned.
0
 
olioAuthor Commented:
I'm not sure I understand thie psexec.

Do I have to run this on each machine? Or can I run this on the server.
Which User and Password do I pass? (Admin or the user that should do the local install)
What does it mean "run it once or a few times"?
Where do I save the batch file?
How do I assign a logon script? (Is this for a user or for a machine)?
Does this script run each time the machine starts?

Thanks and sorry but I'm a newbie
0
 
LongbowCommented:
You can use it from the server or better from your own computer.
It will install a service on each machine on wich it runs but leaves the service in a manual state.

Use the command in a dos box. Replace Computer(Remote PC wher the account must have the Admin rights), Domain& User&, Password(Your Account), Username(Remote wich needs the rights to install) by the right values.

psexec \\Computer_wich_needs_the_rights -u Domain\User -P Password "net" localgroup "Power Users" Username_wich_needs_the_rights /ADD

Run the command in a dos box, in the folder where you extract psexec or drag and drop psexec.exe to a dos box.

When it is done for each user they need to log off and log back on.

Forget the logon script and the batch files.
Try using the above psexec commandline first and check if it is successfull on the first computer.

Good luck
0
 
olioAuthor Commented:
Great. THANKS
Can this be used to sync the time. Since a time difference prevents the command to work.
Can this be used to assign a default printer for all users?
Can this be used to delete an old printer from the list of available users?
(More points available if necessary
0
 
DenverDanCommented:
We are currenty working on making all of our users non local admins in an effort to stop some of this Spyware from being installed and other security reasons.  We have found the most problems can be fixed by granting access to selected folders in the file system and selected registry keys.
Also, to the above responce, you can open Computer Management on your PC, right click on 'Computer Management(Local)' and click 'Connect to another computer...'.  Here you can type the name or IP address of the pc and connect to it(provided the person you are logged in as has admin access to that PC(the other alternative to that would be to RunAs Computer Management as an administrator of that PC)).  Then you can add people to the administrators group from your desk.  I have to do this for all of our sites around the USA.

« « Jason P Cramsey - Gardner Denver - Corporate Helpdesk » »
0
 
LongbowCommented:
I use it to execute any command line tools or just a command prompt to work locally on a computer.
Sometimes you need the Psservice command to disable an antivirus wich can find Psexec is a virus : Psservice \\Computername stop mcshield
This is to stop for example the McAfee Antivirus.
Psservice \\Computername start mcshield
 restarts it.

You can run also vbscripts with Psexec.
In this case use cscript (wscript /?)

You can run windows software remotely but you can't use it.

Use psexec with the -i option if you need the result appears on the remote computer.

I think you can use rundll32 command to install printers.
This is for another question ;-)
0
 
DenverDanCommented:
Another thought - it's a little late now, but just as a general best practice, create a global group in Active Directory called Local Admins.  When you set up your new PC's, include that group in the administrators group.  Then when Joe in engineering needs to install the latest AutoDesk upgrade on a bunch of PC's, put him in the group.  He can then log in and do the upgrade.  When he is finished, take him out of the group.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now