• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

How to Assign Domain User Group the local Administrator Right on all client machines.

I have Windows 2000 Server (Domain Controller) & around 200  Windows 2000 Professional (Clients).

I want to ask  how to give some user Group  the local administrative rights on all client machines so that the users belonging to that group can install the software themselves.

thanks
Sher
0
shersinghrawat
Asked:
shersinghrawat
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
Hi!

You can use Restricted groups GPO. I would suggest that you create "Desktop admins" and make it a member of local administrators group. Details are posted here: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

If you need more information let me know...

HTH

Toni
0
 
KCTSCommented:
Log on as adminintrator to the local computer
Right click on "My computer" and select "manage"
Select "local users and groups" and Open "Groups"
Open the Administrators Group"
click  "Add"
Type the username in full eg MyDomain\UserName
then OK everything

You will have to do this to each computer that you want the user to have local administrator access - alternatively you could use a script - see
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Admin/UsingaScripttoAddaDomainUsertoaLocalGroup.html
0
 
tej071Commented:
You can create a script and assign it as a computer startup policy:
net localgroup administrators "domainname\domain admins" /add
net localgroup administrators "domainname\group name" /add
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
shersinghrawatAuthor Commented:
Hi tej071
Thanks
but tell me in brief how it works and the difference between the following two commands:

net localgroup administrators "domainname\domain admins" /add
net localgroup administrators "domainname\group name" /add

Sher
0
 
tej071Commented:
The first adds the domain admin group to the local administrator group and the second is one I added to show you how to write it.  where it is says domainname put the name of your domain and then where it says group name put the group that you want to have access to the local admin group.

We make a batch file and place this as a startup script for our computers.  This way it runs as the computer and not the user.
Tom
0
 
shersinghrawatAuthor Commented:
Dear tej071

Thanks for your suggestion. I will try this.
0
 
shersinghrawatAuthor Commented:
Dear Tej071

I tried your solution but could not able to do what i want. Now i explain in detail.
I am in an educational organization having following setup

Domain Name: bbk.org
- Windows 2000 Server as Domain Controller (Computer name: bbksrv)
- Around 200 Windows 2k Prof./WinXP as Workstations

In my Active Directory I have mainly two types of User Groups apart from administrators:

1.) Students  (about 50 members in this group) applied  GPO "GPOStudents" to this group
2.) Teachers (about 20 members in this group) applied GPO "GPOTeachers" to this group

Plese note that the workstations do not have any user/administrator-created groups/users. They only contain the default users and groups.

I want all the memebrs of the group 'Teachers' to be the member of 'Administrators' group of all the local workstations using batch script.  I have used the following batch script in User Configuration section of  "GPOTeachers" to do this but could not able to get the result:

net user %username% /add
net localgroup administrators /add %username%

Please solve my problem.

Thanx
Sher
0
 
tej071Commented:
Try this:
net localgroup administrators "bbk.org\Teachers" /add

Then from a command prompt on a local machine type:

gpupdate /force

And then reboot.  Please make sure the GPO is applied as a computer startup policy.  Copy the exact line I typed above into your original GPOTeachers.bat batch file.  Where are you storing this batch file to be pulled for the GPO?

The command I typed above tells the computer to add to a local group "netlocal" called administrators a group from the domain bbk.org a group called Teachers.  If this isn't working you need to verify that the GPO is actually being applied to the machine.

You can try running RSOP.MSC and gpresult from a command prompt.

Please let me know if this works for you.
Tom

Tom
0
 
shersinghrawatAuthor Commented:
Sorry Tom,
It does not work. On a Win2k Prof. workstation I logged on using  the domain username Raj (which is the member of group Teachers). I tried to run [net localgroup administrators "bbk.org\Teachers" /add] on  command prompt but get the following error :

System error 5 has occured.
Access is denied.

I think the group Teahcers does not have privileges to use Net Localgroup command.
What should i do now?

Sher
0
 
tej071Commented:
You are correct that Raj doesn't have the rights.  Are your computers part of the bbc.org domain?  If so you need to create a batch file with those commands and place it as a group policy on your domain controller.  Then you need to apply that GPO to the OU where your workstations reside.  The GPO must be a computer based GPO which is ran at startup so that it runs as the system which has the permissions.  Once this GPO is made you will need to run gpupdate /force from a command prompt on your local computer to get the GPO to run.

You should not be running those commands from the local machine as you will have to run it at each machine which is time consuming.  I can tell you that the GPO option does work as we are currently doing that same exact GPO.

Tom
0
 
shersinghrawatAuthor Commented:
Hi Tom

Ultimately i succeeded in the task.  
Thanks for your valuable suggestions. Without your help it would have not been possible.

Again,  I want the control panel to show only certain applets for the Teacher group (the group which i added in local Administrators group). For this purpose, in the related GPO's  User Configuration->Administrative Templates->Control Panel   I enabled the option 'Show only specified control panel applets' and added the .cpl files which i wanted to add and It worked.  I want to ask two things here:
1. The name of .cpl file for Keyboard Properties.
2. I also added the file odbccp32.cpl (ODBC Data Source Administrator) but the applet is not displayed in the control panel on client machines. (I think the reason may be, in control panel, it is under another applet 'Administrative Tools'.). Please tell me how to do that.....

Thanks
Sher

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now