Link to home
Start Free TrialLog in
Avatar of burmzorz
burmzorzFlag for United States of America

asked on

User Rights on 2008 Domain

I have created a windows 2008 domain and added the users machines to the domain and they are now logging in as authenticated users to the domain. They, however, do not have rights to do anything such as install programs, add to their favorites, etc. How do I enable them to be able to do this? Is this a default setting in the 2008 domain? I have never had this happen before. Any help would be nice. Thank you

Dustin Burmeister
ASKER CERTIFIED SOLUTION
Avatar of TDKD
TDKD
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
on their "Workstations" directly in the local groups.
If you have multiple users need to be added you can use scripting. Check this out:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspx

K
>To have permission to perform install/add.... you need the users to be part of local administrators group. Get in local administrators group (on a PC) and add domain users in it. This will solve your problem.

A word of caution burmzorz, you do not want to add the domain level group named "Domain Users" to the local "Administrators" group on all user's "Workstations", unless you do not care that all the domain users would in fact have "Administrative Rights" to each others "Workstations" (huge security risk!!).

I would add the individual user (who is the owner of the PC) to the local "Administrators" group of their own "Workstation".
Avatar of zen_68
zen_68

I just log on to the local machine, NOT THE DOMAIN, with a local admin account. Then go to CP, users and add domain user and give admin rights.
Right-click My Computer > Manage > Expand Local Users and Groups > click the groups folder > in the right hand pane, double click the group you want to add this user too > type their username and click the Check Names button.  Click OK to add the user to the group

However, if you are on a domain, you should just open Active Directory Users and Computers, and add that user to the Power users group on the domain.  This should take care of all permissions for that person across all the computers on your network.
Avatar of burmzorz

ASKER

So that is the only way for them to perform add/install function huh? That really bites. We aren't really that up and going so they all need the rights. I figured that might be the only way, but if you have any other way just let me know. I'll award points in a couple hours after i've seen if anyone else has a way.
(huge security risk!!). ....

What security risk is all about when you add just domain users? Security risk only happens when you expose your permision to the out side world. The advantage is you can share resource among the users and the disadvantage is just when you want to dedicate that particular HW to a person.

K
>(huge security risk!!). ....

What security risk is all about when you add just domain users? Security risk only happens when you expose your permision to the out side world. The advantage is you can share resource among the users and the disadvantage is just when you want to dedicate that particular HW to a person.

My Response:

Partly true lnkevin, the outside world is always a risk. But also virus's/Trojans/Malware/Spyware that can spread from machine to machine in your environment, because all domain user's would have unrestricted rights to one another's PC's they could spread these threats much more easier then if they did not have local Admin rights on all user's PC's. Also simply because a disgruntled employee or simply someone with prying eyes internally are always possible threat.
Hi burmzorz,

I have a batch file I created which will add any domain (or local) user's or groups to the local Administrators group as a login script. I will test as a user who has no admin rights and see if I can run as the "System" account (which is superior to even the Admin account) and be in touch.
You may want to consider a script that a "Domain Admin" could run, since all "Workstations" when registered on a Domain automatically place the "Domain Admin" in the local "Administrators" group, the domain admin would have rights to run this script from their own PC, thus adding users or groups to the remote PC's.

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspx
By the way, how many user's are we talking about?
Your vbs script could be as simple as:


In this sample I am adding a user name dwarchol to the local administrators group on the PC named morris-m, the domain is corp.

strComputer = "morris-m"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://corp/dwarchol")
objGroup.Add(objUser.ADsPath)
You would run this as yourself from your own desktop, if you have local Admin rights on the PC in question.