Go Premium for a chance to win a PS4. Enter to Win


How do you assign network users administrative rights on some computers but not on others?

Posted on 2006-10-24
Medium Priority
Last Modified: 2010-04-18
This seems like an easy thing to do, but I can't figure out how.  I manage the network for a school, and would like to give staff members administrative rights on their computer and the computers in their classroom but not on the rest of the network.  The main trouble they run into is being unable to install programs.  They can get around this by logging onto the computer rather than the network, but the problem is that some of them have decided that logging onto the computer is easier and now do that all the time.  I want them to log onto the network so their logon script executes and so that server programs and services can more easily be deployed.

We have a Windows 2003 Native domain.
Question by:srsdtech
  • 2
  • 2
  • 2
  • +2
LVL 26

Assisted Solution

MidnightOne earned 1000 total points
ID: 17797051


In the ideal world, a network administrator deals with ALL software installs.
People install stupid things because they don't know any better.
Barring a reason for the staff to have a local logon for a system, they should be vigorously denied that right.


Back to reality. If they can log into the local machine and prefer to do so, there's little you can do so long as they retain that logon information.

You'll need a multi-pronged approach:

1: identify the computers each staff member needs software installation right
2: on THOSE COMPUTERS ONLY add the staff member to the local Administrator's group

Personally, I think you're going to run into trouble by allowing the (relatively unwashed) masses do software installs at their own whims.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797076
You can do it by machine if you wish or you can create a batch script the the following info in it.

net localgroup administrators domain\username /add

This command will just have them in the administrators group on the local machine and nothing else.  I would also have them as "users" only if you can for the network.  The problem with logging into the computer is they probably won't have anything, no drives mapped, etc....

You could also look into restricted groups if you want to control who's got admin access as well.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797091
Also another note :)

The command I used just let's them be in the Local Admin group on the local PC only.  None of my users have accounts that are local to their machines and none of them are members of the admin group locally to their machine either.  Like MidnightOne suggested, you cannot have your users installing things or even logging on locally to the system.  It just creates a nightmare really.

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal


Expert Comment

ID: 17797185
I would never give users direct admin privileges if I didn't have to.  I've scripted most of my application installs to run with AutoIT (download: http://www.autoitscript.com/autoit3/) with admin priveleges.  You can do this by creating a m3u file (AutoIT script file) with the following syntax:

Try using AutoIT (Download here:)

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm.  Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"

RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)

This allows you to specify the Username, Domain name, password, executable and path that installs run under.  Compile this into an exe file (AutoIT can do this with encryption) and place it on a share that users can access.  This way you keep users out of the local admin group and at the same time they can install approved applications.

I hope this helps.  Let me know if you have any questions.

Accepted Solution

CharliePete00 earned 1000 total points
ID: 17797224
Creating desktop administrators is fairly common practice.  In your situation I would do the following.

1.  Create OUs for each classroom
2.  Add the computers in each classroom to the appropriate OU
3.  Create desktop administrator group for each classroom
4.  Add the appropriate desktop administrator group to the Local Administrators group on each computer in the classroom
5.  Add the instructor's domain account to the appropriate desktop administrator group for their classroom.

Since this is a school setting and you will have students testing their boundaries you may also want to look at restricting
membership in the Local Administrators group.  See the following for more info:

You may also find that the instructor needs to be able have some administrative control of AD accounts in their classrooms.  See the following post on delegating control for more info:

Good luck!

Author Comment

ID: 17799386
Wow!  I ran off to teach a couple classes and you guys wrote a novel!  Thanks!  I'm still digesting the information, but I can see you have given me some great stuff.

In the meantime, I will make a few comments.  Regarding your observations about the wisdom of giving administrative rights to users--I'm with you on every point.  I know it would create a huge headache.  I want everyone to log on to the network all the time, and I want the local administrative password to be known only by me.  The only reason for that account is for me to be able to get into the computer if it gets kicked off the network.

This brings up the issue of laptops.  Some staff have laptops which they use as their class computer.  They log onto the laptop (local account) here at school so that when they take the laptop home, they get the same personalized settings.  I would like them to log onto the network instead, but do not know how to configure this so that when they get somewhere else those settings are preserved.

I haven’t added anything to this for 45 minutes (got called out) so I will just post it before the thoughts get cold.
LVL 26

Expert Comment

ID: 17799932

User laptops are a problem all their own, but barrings anything from on high ( read: school administrations and negotiated with the teacher's union ), there's going to be nothing you can do about those.

I'd recommend changing the local admin password on the school-controlled systems immediately and killing off all other local accounts on those systems anyway for good measure.

A word on the kids - they WILL find a way to hack the network. It's your skills versus ALL of theirs. Don't hand them tools like a local admin account that's left unattended. ;-)


Author Comment

ID: 17805994
I looked into all of the solutions offered, and though all sound great, there are only two I can see myself using much.  I will split points between those two contributors.  



Expert Comment

ID: 17806068
Good Luck! and thanks.


Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Screencast - Getting to Know the Pipeline
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question