Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"scott" <sbailey@mileslumber.com> wrote in message
news:u8zgBX45EHA.3648@TK2MSFTNGP11.phx.gbl...
> Where is the INTERACTIVE group located? I can't find it.
It is a Special Group -- you should be able to find it
in most any group list.
Special Groups are those "automatic" groups such as
Everyone, Authenticated Users, TS Users, Dialup, etc.
--
Herb Martin
"scott" <sbailey@mileslumber.com> wrote in message
news:u8zgBX45EHA.3648@TK2MSFTNGP11.phx.gbl...
> Where is the INTERACTIVE group located? I can't find it.
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:OrgfBhx5EHA.272@TK2MSFTNGP10.phx.gbl...
> > "scott" <sbailey@mileslumber.com> wrote in message
> > news:OhMPmLx5EHA.2624@TK2MSFTNGP11.phx.gbl...
> >> If userA is a member of DOMAIN USERS and is a LOCAL ADMINISTRATOR to
> > userA's
> >> box, how can userA get access to other PCs on the network?
> >>
> >> I'm just trying to limit regular users to only access his own pc and
just
> >> certain network shared folders on a server. I do want them to be able
to
> > do
> >> anything to their own pc.
> >>
> >
> > But any user can walk up to any PC, logon, and
> > become the Admin there, so you really have no
> > effective limitation.
> >
> > Oli's idea at least REQUIRES them to physically
> > logon (or TS etc) to the machine in question.
> >
> > --
> > Herb Martin
> >
> >
> >> i'm really getting confused. i've never heard of the INTERACTIVE group
> >> before.
> >>
> >> if you can give more guidance, i'd appreciate you staying with me on
> >> this.
> >>
> >>
> >> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> >> news:%23zNOS$s5EHA.2964@TK2MSFTNGP09.phx.gbl...
> >> > Sorry -- I did indeed miss "the current user" in the original
question.
> >> >
> >> > Scott, what you're trying to do is not a good practice. What you may
> > want
> >> > to consider doing, though, is to add the "INTERACTIVE" group (users
> >> > logging in at the console) to the local administrators group.
> >> >
> >> > The following command will do this and must be done either manually
or
> >> > through a computer startup script. Users, of course, will not have
the
> >> > required permissions to make the change.
> >> >
> >> > net localgroup administrators interactive /add
> >> >
> >> > This will mean that any user who logs into such a machine will be an
> >> > administrator of that box, but they will not be able to do
> > administrative
> >> > tasks to other machines across the network.
> >> >
> >> > Hope this helps
> >> >
> >> > Oli
> >> >
> >> > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> >> > news:OTcVe5s5EHA.828@TK2MSFTNGP14.phx.gbl...
> >> >> As understood the question, Scott wanted a particular user (I'm
> > assuming
> >> >> a helpdesk person) to not be a member of "Domain Admins", but to be
> > able
> >> >> to be an administrator of workstations. If so, a computer startup
> > script
> >> >> is a perfectly reasonable way of achieving a perfectly reasonable
> > thing.
> >> >>
> >> >> Perhaps I'm misreading the question.
> >> >>
> >> >> Oli
> >> >>
> >> >>
> >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
> >> >> news:%231pitFr5EHA.2568@TK2MSFTNGP10.phx.gbl...
> >> >>> "scott" <sbailey@mileslumber.com> wrote in message
> >> >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
> >> >>>> what about a group instead of a user?
> >> >>>>
> >> >>>> what would that look like syntax wise?
> >> >>>
> >> >>> Let's go back to your original request and consider
> >> >>> what you really wish to accomplish:
> >> >>>
> >> >>>> I'm trying to add the current user (member of DOMAIN USER GROUP)
to
> > the
> >> >>>> LOCAL ADMINISTRATORS group with below code in FIGURE 1, but get
> >> >>>> error
> >> >>>> in
> >> >>>
> >> >>> IF someone should be a member of the Local Admistrators
> >> >>> group then YOU (or a script on the DCs) should be adding
> >> >>> them to the appropriate group.
> >> >>>
> >> >>> This isn't appropriate for a Startup or Logon script.
> >> >>> (The user cannot add himself nor can the computer startup
> >> >>> add a user who has not yet logged onto the computer -- as
> >> >>> discussed above)
> >> >>>
> >> >>> If ALL users should be Admins of ALL machines (which
> >> >>> is essentially what you were really going to allow -- If
> >> >>> I COULD log onto a machine you were going to make me
> >> >>> an Admin -- then just do that by making such a group or
> >> >>> assigning the Domain Admins.
> >> >>>
> >> >>> Although I see this, and the original request, as poor
> >> >>> practice, you likely also will likely also recognize this
> >> >>> when stated as such.
> >> >>>
> >> >>> We could build a Startup script that would do this IF
> >> >>> you can identify the users who work at each machine.
> >> >>>
> >> >>> --
> >> >>> Herb Martin
> >> >>>
> >> >>>
> >> >>> "scott" <sbailey@mileslumber.com> wrote in message
> >> >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
> >> >>>> what about a group instead of a user?
> >> >>>>
> >> >>>> what would that look like syntax wise?
> >> >>>>
> >> >>>> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
> >> >>>> news:ekX8Kyl5EHA.2428@TK2MSFTNGP14.phx.gbl...
> >> >>>> > Ah, you are correct. Missed that
> >> >>>> >
> >> >>>> > --
> >> >>>> >
> >> >>>> >
> >> >>>> > Sincerely,
> >> >>>> >
> >> >>>> > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> >> >>>> > Microsoft MVP - Directory Services
> >> >>>> > www.readymaids.com - we know IT
> >> >>>> > www.akomolafe.com
> >> >>>> > Do you now realize that Today is the Tomorrow you were worried
> > about
> >> >>>> > Yesterday? -anon
> >> >>>> > "Herb Martin" <news@LearnQuick.com> wrote in message
> >> >>>> > news:eXWiZji5EHA.2540@TK2MSFTNGP09.phx.gbl...
> >> >>>> >> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
> >> >>>> >> news:uDSajUi5EHA.2624@TK2MSFTNGP11.phx.gbl...
> >> >>>> >> > the variable is %username%. So your syntax would be:
> >> >>>> >> >
> >> >>>> >> > net localgroup administrators yourdomainname\%username% /ADD
> >> >>>> >> >
> >> >>>> >> > That would add ANY user that logs into the computer into the
> >> >>>> >> administrators'
> >> >>>> >> > group IF you are using Machine Startup Script through a GPO
as
> >> >>>> >> > suggested
> >> >>>> >> by
> >> >>>> >> > Oli. This may be something you want to do in a controlled
> > fashion.
> >> >>>> >>
> >> >>>> >> Sorry, this will not work as expected.
> >> >>>> >>
> >> >>>> >> At the time that a Computer Startup Script runs, there is
> >> >>>> >> NO user and the %username% variable is holds no value.
> >> >>>> >>
> >> >>>> >>
> >> >>>> >>
> >> >>>> >
> >> >>>> >
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>