Best Way to give users FULL control of their local machine without accessing other computers (C$)

You could create a logon script that adds the user to the local administrators group:

net localgroup Administrators %userdomain%\%username% /add

You can then also create a logoff script that removes the user from the local administrators group:

net locagroup Administrators %userdomain%\%username% /delete

You will obviously need to run the first script with elevated permissions as the user won't have the rights to add themselves to the local administrators group.

Cheers,

J

I think if you put "DOMAIN\Domain Users" in local "Power Users" instead of Administrators they will be able to do everything without getting to other machines' admin shares.

Although I think this is a poor security model. ;)

Remove Domain Users from the local Administrators group and add the local INTERACTIVE account in its place.  This will give administrative rights to anybody who is logged directly into the machine (either physically or through Remote Desktop, if allowed) but will not grant any extra rights to users connecting over the network.

Shift-3:

How do i access the "local INTERACTIVE acccount"

TheCapedPlodder

Since currently all the users have the full domain rights i should be able to add the users themselves into the administrator group on the local machine with your login script example... however what would be the command to remove the DOMAIN USERS

net locagroup Administrators %userdomain%\%username% /delete

tell me it cant find DOMAIN   i thought a %20 might work in between DOMAIN <and> USERS but that failed as well.

What i meant to say about the FULL DOMAIN RIGHTS is that each user currently has the DOMAIN USERS group in their local Administrators group.... and therefore as long as i add their own name to the local admin group before i remove the DOMAIN USERS it should work fine right?

BTW, here is the entire script

net localgroup Administrators %userdomain%\%username% /add
net localgroup Administrators %userdomain%\domain users /delete

however i cant get past the space in the DOMAIN USERS

this worked...

net localgroup Administrators "%userdomain%\domain users" /delete

I guess my only question is, what are you tryign to accomplish?

Your last statement in the original post reads as though you realize you could add each user's domain account to the local administrator group of their workstation to provide for the need to be admins locally(though I dont know that this is necessary really) without being able to access other systems as admins, and then you say "but" they would then not have admins rights on other systems as though that it a problem.

So you want folks to be local admins for the workstations, but not be able to access other workstations using admin shares, yet you do want them to be able to simply go log onto any other workstation as an admin... why change anything?

Shift-3s method is the way to go to accomplish what I am understanding as your objective, but I really dont see a need to do anything because the end result is basically the same as your current scenario -- any user can do anything they want to any workstation.

Here is the situation:

It was discovered that on every workstation in the local ADMINISTRATORS group there was <domainname>\Domain Users in there, and as you know all users are part of the Domain Users group (generally)& which gave all users access to their local machines like we wanted. We need to have most employees be able to install software, modify the registry, start and stop services etc. and that worked just fine for us for a long time.

Then the other day it was brought to our attention that one of the tech people could access the CEOs workstation via the \\computername\c$ share&  This was because this user was part of the DOMAIN USERS group and this group had been added to this local computer which allowed this tech user rights to the CEOs workstation.  When the CEO goes home at night he turns off his system and locks his door so there is no real threat of physical access to the data.

So what I am trying to accomplish is to continue to allow employees the ability to install software, modify the registry, start and stop services etc.  HOWEVER we dont want any of the users to type in \\CEOCOMPUTERNAME\C$ and be able to access everything on the CEOs workstation.  It would be quite obvious if this person went into the CEOs office and sat down at the desk and started poking around on the computer.  This is why I still want the ability to have the machines open to the users; however I dont want the user to be able to access the remote shares on these other machines?

I know this seems a little strange and may not be the best environment, but it works for us we just need to stop the ability of users accessing the remote shares.