• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Tempory give local user admin rights

Hi Experts,

We need to deploy multiple upgrades to 200 computers. I would like to give the logged on user local admin rights to the  computers they are logged into, temporary, How can i do this using Grpoup Policy in windows 2003 domain.

I did see on the is web site an solution that uses group policy and the restricted groups but do not know where to configure and apply this policy.

Thanks
0
talltree
Asked:
talltree
  • 4
  • 4
  • 4
2 Solutions
 
Darius GhassemCommented:
This link will show you how to get Restricted Group working..


http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
Mike KlineCommented:
Do you only want that user to have admin rights to one machine.
With restircted groups that would be hassle.
If you had a group and wanted to add that group to the local admin group of the machines then that would be a job for restricted groups.
Florian has a good writeup on restricted groups here:
http://www.frickelsoft.net/blog/?p=13
Thanks
Mike


 
 
0
 
Mike KlineCommented:
Matt,
My blog is about AD and not a money making site.  I figured an AD blog would help in an AD forum
Just trying to help the community...sorry.
Thanks
Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
talltreeAuthor Commented:
We want each logged on domain user to have local admin rights to the computer they are logged on to for a short ime.
This is instead of using group policy to push an software update, we wil have th euser install it themselves
0
 
Darius GhassemCommented:
The Restricted Groups GPO will allow you to do what you want to do.
0
 
Mike KlineCommented:
What I worry about restricted groups here is that users will have admin rights to multiple boxes (I know its only temporary)
0
 
talltreeAuthor Commented:
i don't think they would know it.
If weever desided to  push out the msi's using group policy the local user would not need the local admin privledges, is this correct?
0
 
talltreeAuthor Commented:
I checked out the artile http://www.windowsecurity.com/articles/Using-Restricted-Groups.html, what i don't like is it removes excisting accounts from the admin's group and repaces them. Some computers need certain user accounts in the local admin groups and can not be removed
0
 
Darius GhassemCommented:
That is the only way to get what you want done through a GPO.
0
 
talltreeAuthor Commented:
If we update the software using group policy to asssign the msi files, do we need local admin rights?
0
 
Darius GhassemCommented:
No, the GPO is run as a Admin so you don'r need local admin rights to push the update through group policy which was going to be my next suggestion.
0
 
Mike KlineCommented:
what i don't like is it removes excisting accounts from the admin's group and repaces them
That is one way it happens and a lot of articles like that one are not clear.  You can either remove existing groups or add to what is there.  Take a look at Florian's entry on it  http://www.frickelsoft.net/blog/?p=13
Thanks
Mike
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now