Solved

How do you assign network users administrative rights on some computers but not on others?

Posted on 2006-10-24
9
256 Views
Last Modified: 2010-04-18
This seems like an easy thing to do, but I can't figure out how.  I manage the network for a school, and would like to give staff members administrative rights on their computer and the computers in their classroom but not on the rest of the network.  The main trouble they run into is being unable to install programs.  They can get around this by logging onto the computer rather than the network, but the problem is that some of them have decided that logging onto the computer is easier and now do that all the time.  I want them to log onto the network so their logon script executes and so that server programs and services can more easily be deployed.

We have a Windows 2003 Native domain.
0
Comment
Question by:srsdtech
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 26

Assisted Solution

by:MidnightOne
MidnightOne earned 250 total points
ID: 17797051
srsdtech:

<rant>

In the ideal world, a network administrator deals with ALL software installs.
People install stupid things because they don't know any better.
Barring a reason for the staff to have a local logon for a system, they should be vigorously denied that right.

</rant>

Back to reality. If they can log into the local machine and prefer to do so, there's little you can do so long as they retain that logon information.

You'll need a multi-pronged approach:

1: identify the computers each staff member needs software installation right
2: on THOSE COMPUTERS ONLY add the staff member to the local Administrator's group

Personally, I think you're going to run into trouble by allowing the (relatively unwashed) masses do software installs at their own whims.

MidnightOne
0
 
LVL 16

Expert Comment

by:kshays
ID: 17797076
You can do it by machine if you wish or you can create a batch script the the following info in it.

net localgroup administrators domain\username /add

This command will just have them in the administrators group on the local machine and nothing else.  I would also have them as "users" only if you can for the network.  The problem with logging into the computer is they probably won't have anything, no drives mapped, etc....

You could also look into restricted groups if you want to control who's got admin access as well.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html


Kevin
0
 
LVL 16

Expert Comment

by:kshays
ID: 17797091
Also another note :)

The command I used just let's them be in the Local Admin group on the local PC only.  None of my users have accounts that are local to their machines and none of them are members of the admin group locally to their machine either.  Like MidnightOne suggested, you cannot have your users installing things or even logging on locally to the system.  It just creates a nightmare really.

Kevin
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17797185
I would never give users direct admin privileges if I didn't have to.  I've scripted most of my application installs to run with AutoIT (download: http://www.autoitscript.com/autoit3/) with admin priveleges.  You can do this by creating a m3u file (AutoIT script file) with the following syntax:

Try using AutoIT (Download here:)
http://www.autoitscript.com/autoit3/

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm.  Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"


RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)

This allows you to specify the Username, Domain name, password, executable and path that installs run under.  Compile this into an exe file (AutoIT can do this with encryption) and place it on a share that users can access.  This way you keep users out of the local admin group and at the same time they can install approved applications.

I hope this helps.  Let me know if you have any questions.
Crow
0
 
LVL 7

Accepted Solution

by:
CharliePete00 earned 250 total points
ID: 17797224
Creating desktop administrators is fairly common practice.  In your situation I would do the following.

1.  Create OUs for each classroom
2.  Add the computers in each classroom to the appropriate OU
3.  Create desktop administrator group for each classroom
4.  Add the appropriate desktop administrator group to the Local Administrators group on each computer in the classroom
5.  Add the instructor's domain account to the appropriate desktop administrator group for their classroom.

Since this is a school setting and you will have students testing their boundaries you may also want to look at restricting
membership in the Local Administrators group.  See the following for more info:
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21333932.html

You may also find that the instructor needs to be able have some administrative control of AD accounts in their classrooms.  See the following post on delegating control for more info:
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21200568.html

Good luck!
0
 

Author Comment

by:srsdtech
ID: 17799386
Wow!  I ran off to teach a couple classes and you guys wrote a novel!  Thanks!  I'm still digesting the information, but I can see you have given me some great stuff.

In the meantime, I will make a few comments.  Regarding your observations about the wisdom of giving administrative rights to users--I'm with you on every point.  I know it would create a huge headache.  I want everyone to log on to the network all the time, and I want the local administrative password to be known only by me.  The only reason for that account is for me to be able to get into the computer if it gets kicked off the network.

This brings up the issue of laptops.  Some staff have laptops which they use as their class computer.  They log onto the laptop (local account) here at school so that when they take the laptop home, they get the same personalized settings.  I would like them to log onto the network instead, but do not know how to configure this so that when they get somewhere else those settings are preserved.

I haven’t added anything to this for 45 minutes (got called out) so I will just post it before the thoughts get cold.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 17799932
srsdtech:

User laptops are a problem all their own, but barrings anything from on high ( read: school administrations and negotiated with the teacher's union ), there's going to be nothing you can do about those.

I'd recommend changing the local admin password on the school-controlled systems immediately and killing off all other local accounts on those systems anyway for good measure.

A word on the kids - they WILL find a way to hack the network. It's your skills versus ALL of theirs. Don't hand them tools like a local admin account that's left unattended. ;-)

MidnightOne
0
 

Author Comment

by:srsdtech
ID: 17805994
I looked into all of the solutions offered, and though all sound great, there are only two I can see myself using much.  I will split points between those two contributors.  

Thanks!

srsdtech
0
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17806068
Good Luck! and thanks.

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question