We help IT Professionals succeed at work.

User Rights on 2008 Domain

Medium Priority
547 Views
Last Modified: 2013-12-04
I have created a windows 2008 domain and added the users machines to the domain and they are now logging in as authenticated users to the domain. They, however, do not have rights to do anything such as install programs, add to their favorites, etc. How do I enable them to be able to do this? Is this a default setting in the 2008 domain? I have never had this happen before. Any help would be nice. Thank you

Dustin Burmeister
Comment
Watch Question

Technical Liaison
Commented:
Hi burmzorz,

It sounds like you are referring to the users ability to perform these functions on their "Workstations", if this is correct they would need to be added to the "Power users" or local "Administrators" group to perform these said functions.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2009
Commented:
To have permission to perform install/add.... you need the users to be part of local administrators group. Get in local administrators group (on a PC) and add domain users in it. This will solve your problem.

K
TDKDTechnical Liaison

Commented:
on their "Workstations" directly in the local groups.
Top Expert 2009

Commented:
If you have multiple users need to be added you can use scripting. Check this out:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspx

K
Top Expert 2009

Commented:
TDKDTechnical Liaison

Commented:
>To have permission to perform install/add.... you need the users to be part of local administrators group. Get in local administrators group (on a PC) and add domain users in it. This will solve your problem.

A word of caution burmzorz, you do not want to add the domain level group named "Domain Users" to the local "Administrators" group on all user's "Workstations", unless you do not care that all the domain users would in fact have "Administrative Rights" to each others "Workstations" (huge security risk!!).

I would add the individual user (who is the owner of the PC) to the local "Administrators" group of their own "Workstation".

Commented:
I just log on to the local machine, NOT THE DOMAIN, with a local admin account. Then go to CP, users and add domain user and give admin rights.

Commented:
Right-click My Computer > Manage > Expand Local Users and Groups > click the groups folder > in the right hand pane, double click the group you want to add this user too > type their username and click the Check Names button.  Click OK to add the user to the group

However, if you are on a domain, you should just open Active Directory Users and Computers, and add that user to the Power users group on the domain.  This should take care of all permissions for that person across all the computers on your network.

Author

Commented:
So that is the only way for them to perform add/install function huh? That really bites. We aren't really that up and going so they all need the rights. I figured that might be the only way, but if you have any other way just let me know. I'll award points in a couple hours after i've seen if anyone else has a way.
Top Expert 2009

Commented:
(huge security risk!!). ....

What security risk is all about when you add just domain users? Security risk only happens when you expose your permision to the out side world. The advantage is you can share resource among the users and the disadvantage is just when you want to dedicate that particular HW to a person.

K
TDKDTechnical Liaison

Commented:
>(huge security risk!!). ....

What security risk is all about when you add just domain users? Security risk only happens when you expose your permision to the out side world. The advantage is you can share resource among the users and the disadvantage is just when you want to dedicate that particular HW to a person.

My Response:

Partly true lnkevin, the outside world is always a risk. But also virus's/Trojans/Malware/Spyware that can spread from machine to machine in your environment, because all domain user's would have unrestricted rights to one another's PC's they could spread these threats much more easier then if they did not have local Admin rights on all user's PC's. Also simply because a disgruntled employee or simply someone with prying eyes internally are always possible threat.
TDKDTechnical Liaison

Commented:
Hi burmzorz,

I have a batch file I created which will add any domain (or local) user's or groups to the local Administrators group as a login script. I will test as a user who has no admin rights and see if I can run as the "System" account (which is superior to even the Admin account) and be in touch.
TDKDTechnical Liaison

Commented:
You may want to consider a script that a "Domain Admin" could run, since all "Workstations" when registered on a Domain automatically place the "Domain Admin" in the local "Administrators" group, the domain admin would have rights to run this script from their own PC, thus adding users or groups to the remote PC's.

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspx
TDKDTechnical Liaison

Commented:
By the way, how many user's are we talking about?
TDKDTechnical Liaison

Commented:
Your vbs script could be as simple as:


In this sample I am adding a user name dwarchol to the local administrators group on the PC named morris-m, the domain is corp.

strComputer = "morris-m"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://corp/dwarchol")
objGroup.Add(objUser.ADsPath)
TDKDTechnical Liaison

Commented:
You would run this as yourself from your own desktop, if you have local Admin rights on the PC in question.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.