Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How do you assign network users administrative rights on some computers but not on others?

Posted on 2006-10-24
Medium Priority
Last Modified: 2010-04-18
This seems like an easy thing to do, but I can't figure out how.  I manage the network for a school, and would like to give staff members administrative rights on their computer and the computers in their classroom but not on the rest of the network.  The main trouble they run into is being unable to install programs.  They can get around this by logging onto the computer rather than the network, but the problem is that some of them have decided that logging onto the computer is easier and now do that all the time.  I want them to log onto the network so their logon script executes and so that server programs and services can more easily be deployed.

We have a Windows 2003 Native domain.
Question by:srsdtech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
LVL 26

Assisted Solution

MidnightOne earned 1000 total points
ID: 17797051


In the ideal world, a network administrator deals with ALL software installs.
People install stupid things because they don't know any better.
Barring a reason for the staff to have a local logon for a system, they should be vigorously denied that right.


Back to reality. If they can log into the local machine and prefer to do so, there's little you can do so long as they retain that logon information.

You'll need a multi-pronged approach:

1: identify the computers each staff member needs software installation right
2: on THOSE COMPUTERS ONLY add the staff member to the local Administrator's group

Personally, I think you're going to run into trouble by allowing the (relatively unwashed) masses do software installs at their own whims.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797076
You can do it by machine if you wish or you can create a batch script the the following info in it.

net localgroup administrators domain\username /add

This command will just have them in the administrators group on the local machine and nothing else.  I would also have them as "users" only if you can for the network.  The problem with logging into the computer is they probably won't have anything, no drives mapped, etc....

You could also look into restricted groups if you want to control who's got admin access as well.

LVL 16

Expert Comment

by:Kevin Hays
ID: 17797091
Also another note :)

The command I used just let's them be in the Local Admin group on the local PC only.  None of my users have accounts that are local to their machines and none of them are members of the admin group locally to their machine either.  Like MidnightOne suggested, you cannot have your users installing things or even logging on locally to the system.  It just creates a nightmare really.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 17797185
I would never give users direct admin privileges if I didn't have to.  I've scripted most of my application installs to run with AutoIT (download: with admin priveleges.  You can do this by creating a m3u file (AutoIT script file) with the following syntax:

Try using AutoIT (Download here:)

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm.  Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"

RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)

This allows you to specify the Username, Domain name, password, executable and path that installs run under.  Compile this into an exe file (AutoIT can do this with encryption) and place it on a share that users can access.  This way you keep users out of the local admin group and at the same time they can install approved applications.

I hope this helps.  Let me know if you have any questions.

Accepted Solution

CharliePete00 earned 1000 total points
ID: 17797224
Creating desktop administrators is fairly common practice.  In your situation I would do the following.

1.  Create OUs for each classroom
2.  Add the computers in each classroom to the appropriate OU
3.  Create desktop administrator group for each classroom
4.  Add the appropriate desktop administrator group to the Local Administrators group on each computer in the classroom
5.  Add the instructor's domain account to the appropriate desktop administrator group for their classroom.

Since this is a school setting and you will have students testing their boundaries you may also want to look at restricting
membership in the Local Administrators group.  See the following for more info:

You may also find that the instructor needs to be able have some administrative control of AD accounts in their classrooms.  See the following post on delegating control for more info:

Good luck!

Author Comment

ID: 17799386
Wow!  I ran off to teach a couple classes and you guys wrote a novel!  Thanks!  I'm still digesting the information, but I can see you have given me some great stuff.

In the meantime, I will make a few comments.  Regarding your observations about the wisdom of giving administrative rights to users--I'm with you on every point.  I know it would create a huge headache.  I want everyone to log on to the network all the time, and I want the local administrative password to be known only by me.  The only reason for that account is for me to be able to get into the computer if it gets kicked off the network.

This brings up the issue of laptops.  Some staff have laptops which they use as their class computer.  They log onto the laptop (local account) here at school so that when they take the laptop home, they get the same personalized settings.  I would like them to log onto the network instead, but do not know how to configure this so that when they get somewhere else those settings are preserved.

I haven’t added anything to this for 45 minutes (got called out) so I will just post it before the thoughts get cold.
LVL 26

Expert Comment

ID: 17799932

User laptops are a problem all their own, but barrings anything from on high ( read: school administrations and negotiated with the teacher's union ), there's going to be nothing you can do about those.

I'd recommend changing the local admin password on the school-controlled systems immediately and killing off all other local accounts on those systems anyway for good measure.

A word on the kids - they WILL find a way to hack the network. It's your skills versus ALL of theirs. Don't hand them tools like a local admin account that's left unattended. ;-)


Author Comment

ID: 17805994
I looked into all of the solutions offered, and though all sound great, there are only two I can see myself using much.  I will split points between those two contributors.  



Expert Comment

ID: 17806068
Good Luck! and thanks.


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question