Ryman1
asked on
Admin Rights on Machine & User Privelages on Domain.
I'm trying to set up my Windows 2003 server so that on the desktop pc's we have local administrator rights, but user rights on the domain. how would i go about setting this up? i
Can I create a policy and add users? How is this done from the domain controller - or must it be done on the desktop?
Our domain users generally need to be able to install software on their machines.
Can I create a policy and add users? How is this done from the domain controller - or must it be done on the desktop?
Our domain users generally need to be able to install software on their machines.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the clarification.
So if I a user has been added to the Administrators group on the DC, will they be able to give themselves local admin priv's on the desktop? ..the way aissim says? If not, how do I make this use a Domain Admin?
If I'd like to have a few users to have Local Admin Privelages on their machine, would I use restricted groups?
So if I a user has been added to the Administrators group on the DC, will they be able to give themselves local admin priv's on the desktop? ..the way aissim says? If not, how do I make this use a Domain Admin?
If I'd like to have a few users to have Local Admin Privelages on their machine, would I use restricted groups?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Netman66,
When you say:
"in a GPO attached to the domain, under Computer Config>Windows Setting>Security Settings, right click Restricted Groups and select Add Group."
Do you mean type gpedit.msc and browse to this area? When I did that, I see the following:
Account Policies, Local Policies, Public Key Policies, Software Restrictions, Ip Security.
I don't see restricted groups.
When you say:
"in a GPO attached to the domain, under Computer Config>Windows Setting>Security Settings, right click Restricted Groups and select Add Group."
Do you mean type gpedit.msc and browse to this area? When I did that, I see the following:
Account Policies, Local Policies, Public Key Policies, Software Restrictions, Ip Security.
I don't see restricted groups.
ASKER
Ah, I see my problem. You must do it from ADUC, not gpedit.msc
So....I fear choosing Administrator. Is this just Local Machine Admin - I want to make sure.
Also, does this give them access to all data on all Desktops connected to the Domain?
So....I fear choosing Administrator. Is this just Local Machine Admin - I want to make sure.
Also, does this give them access to all data on all Desktops connected to the Domain?
You must create a security group to use for this and add the users in that you want to have local Admin rights - unless it's everyone, then you can use Domain Users.
Browse to Domain Users when you add the Restricted Group.
Then select the lower section of the membership - "This group is a member of" and manually type in Administrators.
Browse to Domain Users when you add the Restricted Group.
Then select the lower section of the membership - "This group is a member of" and manually type in Administrators.
ASKER
So here's what I did to give domain users Local Admin rights:
1) Using ADUC, I right clicked the USERS Folder and selected properties, then Group Policy Tab
2) It was empty, so I created a new policy and called it "Local Admin Rights" and hit edit
3) The GP Objects editor opened up and I browsed to Restricted Group and hit Add Group
4) I Added Administrators
Is this the correct step by step method to give domain users the rights of Local Admins?
Also, does this give them access to all data on all Desktops connected to the Domain?
1) Using ADUC, I right clicked the USERS Folder and selected properties, then Group Policy Tab
2) It was empty, so I created a new policy and called it "Local Admin Rights" and hit edit
3) The GP Objects editor opened up and I browsed to Restricted Group and hit Add Group
4) I Added Administrators
Is this the correct step by step method to give domain users the rights of Local Admins?
Also, does this give them access to all data on all Desktops connected to the Domain?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm logged onto the DC and looking at the user I want to have Local Admin Rights. He's the owner so I added him as an Administrator, but he was not able to install Office.
From the Domain Controller, how do give this particular user complete admin rights? How do I add users as local admins?
Does the Administrator Account have Local Admin Rights by default?