We help IT Professionals succeed at work.

Admin Rights on Machine & User Privelages on Domain.

Ryman1
Ryman1 asked
on
207 Views
Last Modified: 2013-11-05
I'm trying to set up my Windows 2003 server so that on the desktop pc's we have local administrator rights, but user rights on the domain. how would i go about setting this up? i

Can I create a policy and add users? How is this done from the domain controller - or must it be done on the desktop?

Our domain users generally need to be able to install software on their machines.
Comment
Watch Question

Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I'm guessing I need to back up a little.

I'm logged onto the DC and looking at the user I want to have Local Admin Rights. He's the owner so I added him as an Administrator, but he was not able to install Office.

From the Domain Controller, how do give this particular user complete admin rights? How do I add users as local admins?


Does the Administrator Account have Local Admin Rights by default?
CERTIFIED EXPERT
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for the clarification.

So if I a user has been added to the Administrators group on the DC, will they be able to give themselves local admin priv's on the desktop? ..the way aissim says? If not, how do I make this use a Domain Admin?

If I'd like to have a few users to have Local Admin Privelages on their machine, would I use restricted groups?
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Netman66,

When you say:

"in a GPO attached to the domain, under Computer Config>Windows Setting>Security Settings, right click Restricted Groups and select Add Group."

Do you mean type gpedit.msc and browse to this area? When I did that, I see the following:

Account Policies, Local Policies, Public Key Policies, Software Restrictions, Ip Security.

I don't see restricted groups.

Author

Commented:
Ah, I see my problem. You must do it from ADUC, not gpedit.msc

So....I fear choosing Administrator. Is this just Local Machine Admin - I want to make sure.

Also, does this give them access to all data on all Desktops connected to the Domain?
CERTIFIED EXPERT
Top Expert 2005

Commented:
You  must create a security group to use for this and add the users in that you want to have local Admin rights - unless it's everyone, then you can use Domain Users.

Browse to Domain Users when you add the Restricted Group.
Then select the lower section of the membership - "This group is a member of" and manually type in Administrators.

Author

Commented:
So here's what I did to give domain users Local Admin rights:

1) Using ADUC, I right clicked the USERS Folder and selected properties, then Group Policy Tab
2) It was empty, so I created a new policy and called it "Local Admin Rights" and hit edit
3) The GP Objects editor opened up and I browsed to Restricted Group and hit Add Group
4) I Added Administrators

Is this the correct step by step method to give domain users the rights of Local Admins?

Also, does this give them access to all data on all Desktops connected to the Domain?
CERTIFIED EXPERT
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.