How do you assign network users administrative rights on some computers but not on others?

Posted on 2006-10-24
Last Modified: 2010-04-18
This seems like an easy thing to do, but I can't figure out how.  I manage the network for a school, and would like to give staff members administrative rights on their computer and the computers in their classroom but not on the rest of the network.  The main trouble they run into is being unable to install programs.  They can get around this by logging onto the computer rather than the network, but the problem is that some of them have decided that logging onto the computer is easier and now do that all the time.  I want them to log onto the network so their logon script executes and so that server programs and services can more easily be deployed.

We have a Windows 2003 Native domain.
Question by:srsdtech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
LVL 26

Assisted Solution

MidnightOne earned 250 total points
ID: 17797051


In the ideal world, a network administrator deals with ALL software installs.
People install stupid things because they don't know any better.
Barring a reason for the staff to have a local logon for a system, they should be vigorously denied that right.


Back to reality. If they can log into the local machine and prefer to do so, there's little you can do so long as they retain that logon information.

You'll need a multi-pronged approach:

1: identify the computers each staff member needs software installation right
2: on THOSE COMPUTERS ONLY add the staff member to the local Administrator's group

Personally, I think you're going to run into trouble by allowing the (relatively unwashed) masses do software installs at their own whims.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797076
You can do it by machine if you wish or you can create a batch script the the following info in it.

net localgroup administrators domain\username /add

This command will just have them in the administrators group on the local machine and nothing else.  I would also have them as "users" only if you can for the network.  The problem with logging into the computer is they probably won't have anything, no drives mapped, etc....

You could also look into restricted groups if you want to control who's got admin access as well.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797091
Also another note :)

The command I used just let's them be in the Local Admin group on the local PC only.  None of my users have accounts that are local to their machines and none of them are members of the admin group locally to their machine either.  Like MidnightOne suggested, you cannot have your users installing things or even logging on locally to the system.  It just creates a nightmare really.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 17797185
I would never give users direct admin privileges if I didn't have to.  I've scripted most of my application installs to run with AutoIT (download: with admin priveleges.  You can do this by creating a m3u file (AutoIT script file) with the following syntax:

Try using AutoIT (Download here:)

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm.  Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"

RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)

This allows you to specify the Username, Domain name, password, executable and path that installs run under.  Compile this into an exe file (AutoIT can do this with encryption) and place it on a share that users can access.  This way you keep users out of the local admin group and at the same time they can install approved applications.

I hope this helps.  Let me know if you have any questions.

Accepted Solution

CharliePete00 earned 250 total points
ID: 17797224
Creating desktop administrators is fairly common practice.  In your situation I would do the following.

1.  Create OUs for each classroom
2.  Add the computers in each classroom to the appropriate OU
3.  Create desktop administrator group for each classroom
4.  Add the appropriate desktop administrator group to the Local Administrators group on each computer in the classroom
5.  Add the instructor's domain account to the appropriate desktop administrator group for their classroom.

Since this is a school setting and you will have students testing their boundaries you may also want to look at restricting
membership in the Local Administrators group.  See the following for more info:

You may also find that the instructor needs to be able have some administrative control of AD accounts in their classrooms.  See the following post on delegating control for more info:

Good luck!

Author Comment

ID: 17799386
Wow!  I ran off to teach a couple classes and you guys wrote a novel!  Thanks!  I'm still digesting the information, but I can see you have given me some great stuff.

In the meantime, I will make a few comments.  Regarding your observations about the wisdom of giving administrative rights to users--I'm with you on every point.  I know it would create a huge headache.  I want everyone to log on to the network all the time, and I want the local administrative password to be known only by me.  The only reason for that account is for me to be able to get into the computer if it gets kicked off the network.

This brings up the issue of laptops.  Some staff have laptops which they use as their class computer.  They log onto the laptop (local account) here at school so that when they take the laptop home, they get the same personalized settings.  I would like them to log onto the network instead, but do not know how to configure this so that when they get somewhere else those settings are preserved.

I haven’t added anything to this for 45 minutes (got called out) so I will just post it before the thoughts get cold.
LVL 26

Expert Comment

ID: 17799932

User laptops are a problem all their own, but barrings anything from on high ( read: school administrations and negotiated with the teacher's union ), there's going to be nothing you can do about those.

I'd recommend changing the local admin password on the school-controlled systems immediately and killing off all other local accounts on those systems anyway for good measure.

A word on the kids - they WILL find a way to hack the network. It's your skills versus ALL of theirs. Don't hand them tools like a local admin account that's left unattended. ;-)


Author Comment

ID: 17805994
I looked into all of the solutions offered, and though all sound great, there are only two I can see myself using much.  I will split points between those two contributors.  



Expert Comment

ID: 17806068
Good Luck! and thanks.


Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question