How to give XP Pro users admin rights to their local machine when logging in using an Active Directory username and password

If you don't mind all users having admin rights to all machines then add the Domain Users group to the Local Administrators group on each workstation.

If you want each user to have administrator access to their machine then add that user's Domain account to the Local Administrators group on their machine.

Next question is do you want an automated way of doing this?

Steve

let me see if i have this clear- the clients were not previously on a domain and now you are adding them to a domain?

if so, then you will have to set up local accounts on all of the clients (and give the local accounts admin privs) when joining the clients to the domain.

i don't want to get into step by step instructions yet because i'm not sure i understand your issue completely.  once you clarify, i will continue.

Sorry just re-read your question again and you've already specified the scpoe. Ignore that first sentence.

Steve

sjepson wrote:

>If you want each user to have administrator access to their machine then add that user's Domain account >to the Local Administrators group on their machine.

>Next question is do you want an automated way of doing this?



Yes, you're on the right track.  I need some step-by-step instructions on this please.  Please clarify if i actually have to do it while in front of the user's computer, or is it all server-side.

Thats a big ball of fire you are playing wit there. If you add Domain users to the local admin group, then they can all move to any workstation, and have thier way with it. Your creating a support nightmare (depending on how many users you are talking about). You can setup GPO to allow them to install printers and such, and with the domain, probably push out updates and the like.

If you really want to do it though, just add thier userId (domain\userid) to the local administrators group on each machine. Or as suggested above, add "Domain Users" to the same....

All computer side though....

I hear you Johnb6767,

Perhaps i'll only give users local admin rights temporarily, when i want them to be able to install software, etc.

PsTools v2.43
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/PsTools.mspx

You can use these remotely for remote Process Execution, like starting apps, and updates. Then there is also remote registry and other things built in to XP you can utilize for these tasks. Even if you had to remote in and launch an update 10 times a week, think of the amount of headaches you will save without handing away the keys to the front door, when you give the whole network admin rights.....

presumably, i could make an alternate version with /add changed to /remove, and it would remove them from the Local Admin group?

Sure

Keep in mind, by doing that you are giving every domain user Admin access to EVERY computer........Which is what you didnt want to do in the beginning.....

" don't want them to have admin privileges for the server or other machines on the network - just their own. "

If you really want to do it for each machine that they are logged into, shut all the machines down, and force them to logon fresh the next morning, say for maintenance...

Add this to your login script, or create a seperate batch file for it. It will take the USERID that they log into the system with, and add that to the group.....Instead of every user to every machine.....

net localgroup Administrators %username% /add

Then remove this after a few days to catch almost everyone, or at least the vast majority. Might be a bit more work, but if you are going to do it, you might as well lmiit it where you can.....