Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows Domain desktops

Posted on 2007-08-05
Medium Priority
Last Modified: 2010-03-17
1 windows 2003 DC at main site
3 windows 2000 DC's @ remote sites

Win xp /2000 desktop

40 plus remote sites

We created a ghost image and create a standard desktop, then copy that profile over to the "default user" profile... and "everyone" is allowed to use this profile.
Currently users have to be added as an administrator on the desktop to be able to add printers and have full functionality of their desktop. We have experienced alot of users moving around and they currently call the help desk so that we can add them as an administrator to their desktop. I know there must be an easier way...group policy, but I haven't found an one.


Question by:speedracer180
  • 2
LVL 70

Accepted Solution

KCTS earned 1000 total points
ID: 19634473
You want to be able to add domain users as local admins ?

Try to avoid this is possible - try loading the 'Compatible template first and see if that does the trick

On a test machine from the command line run GPEDIT.MSC
Computer Configuration>Windows Settings
Right-click Security Settings and select Import Policy...
Select COMPATWS.INF from C:\Windows\Security\Templates
Press OK.

If you want to automatically add a domain security group to the Local Administrators group then:-
Set a startup script in group policy with the following line:

NET localgroup Administrators /add "DomainName\DomainSecurityGroup"

obviousy use the correct DomainName and SecuirityGroup for your domain

Expert Comment

ID: 19641153
You say they do not have full functionality without being an admin but besides not being able to add their printers what functionality do they need?  Also are these local printers that the users can not install without admin rights?

Author Comment

ID: 19645310
Users can not add printers,
change desktop settings,
check network properties
cannot install applications
we have a hosted payroll app that installs java and the company pushes updates so the users can do their time cards.The outside company dicates that the logged in user must be an administrator on the PC.

Assisted Solution

funnyfingers earned 1000 total points
ID: 19645935
KCTS may have a good answer but I will suggest something different.

Create a new security group maybe by site or by region (maybe region since there are 40 sites).
Add users to the appropriate security group.
Add the approriate security group to the machines.

This would solve the problem of people moving around and not having the administrative rights.  The only problem I see with this is a user having administrative rights on another machine.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question