Sign in with
Sign up | Sign in
Your question

Use Active Directory to set work station local rights

Last response: in Windows 2000/NT
Share
Anonymous
February 10, 2005 5:40:27 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this with Active Directory and some sort of group policy?

Thanks,

eric
Anonymous
February 10, 2005 5:40:28 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Eric W. Holzapfel" <e.male@verizon.net> wrote in message
news:vQzOd.24549$uc.22528@trnddc03...
> Hello Active Directory,
>
> I have a win 2000 server, and would like to be able to allow a group of
> users to have administrator privileges (not domain administrator privs)
> on the work station(s) then log in to. I would like to permit admin
> rights on the workstation without having to go to each work station, and
> adding the specific user to the local administrators group. Can I do this
> with Active Directory and some sort of group policy?
>
> Thanks,
>
> eric
Anonymous
February 10, 2005 11:20:49 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Eric W. Holzapfel" <e.male@verizon.net> wrote in message
news:vQzOd.24549$uc.22528@trnddc03...
> Hello Active Directory,
>
> I have a win 2000 server, and would like to be able to allow a group of
> users to have administrator privileges (not domain administrator privs)
> on the work station(s) then log in to. I would like to permit admin
> rights on the workstation without having to go to each work station, and
> adding the specific user to the local administrators group. Can I do this
> with Active Directory and some sort of group policy?
>
> Thanks,
>
> eric
Anonymous
February 10, 2005 11:20:50 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

But, then you loose the point of restricting which user account objects /
group objects can be made members of what local group accounts....If you do
that, then anyone can still be made a member of the local Administrators
group.

Do not get me wrong, it is still a way to accomplish what they want to
do...just partially, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
> An alternative to Restricted Groups, as the interface causes many to
> stumble, is to use a startup script that uses the net localgroup command
> via
> a batch file. Something like this:
>
> net localgroup administrators /add DOMAIN\GroupName
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
> Eric,
>
> This question is asked quite often. Please take a look at Restricted
> Groups.....
>
> Just remember that you want to strongly consider creating this GPO on a
> workstation that has the ADMINPAK installed...Otherwise, have fun trying
> to
> figure it all out! I just about tore my hair out [ and as my wife would
> point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
> Domain Controller. Possible, but really difficult. Go with the
> workstation solution.
>
> Anyway, you should be doing just about all of your admin stuff on a
> workstation, anyway ( but that is how I like to do it...the choice is
> yours
> and I can not tell anyone how to do things... ).
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
> news:vQzOd.24549$uc.22528@trnddc03...
>> Hello Active Directory,
>>
>> I have a win 2000 server, and would like to be able to allow a group of
>> users to have administrator privileges (not domain administrator privs)
>> on the work station(s) then log in to. I would like to permit admin
>> rights on the workstation without having to go to each work station, and
>> adding the specific user to the local administrators group. Can I do
>> this
>> with Active Directory and some sort of group policy?
>>
>> Thanks,
>>
>> eric
>
>
>
Anonymous
February 11, 2005 12:06:34 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ah yes, the actual reason for the feature. I tend to forget about that, as
it seems to be only used to add people to groups - no one seems to care
about keeping specific groups members ;-)

Good point!!!


How's it going anyway? Has your second son come along yet?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:eLWcNV2DFHA.3368@TK2MSFTNGP10.phx.gbl...
But, then you loose the point of restricting which user account objects /
group objects can be made members of what local group accounts....If you do
that, then anyone can still be made a member of the local Administrators
group.

Do not get me wrong, it is still a way to accomplish what they want to
do...just partially, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
> An alternative to Restricted Groups, as the interface causes many to
> stumble, is to use a startup script that uses the net localgroup command
> via
> a batch file. Something like this:
>
> net localgroup administrators /add DOMAIN\GroupName
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
> Eric,
>
> This question is asked quite often. Please take a look at Restricted
> Groups.....
>
> Just remember that you want to strongly consider creating this GPO on a
> workstation that has the ADMINPAK installed...Otherwise, have fun trying
> to
> figure it all out! I just about tore my hair out [ and as my wife would
> point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
> Domain Controller. Possible, but really difficult. Go with the
> workstation solution.
>
> Anyway, you should be doing just about all of your admin stuff on a
> workstation, anyway ( but that is how I like to do it...the choice is
> yours
> and I can not tell anyone how to do things... ).
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
> news:vQzOd.24549$uc.22528@trnddc03...
>> Hello Active Directory,
>>
>> I have a win 2000 server, and would like to be able to allow a group of
>> users to have administrator privileges (not domain administrator privs)
>> on the work station(s) then log in to. I would like to permit admin
>> rights on the workstation without having to go to each work station, and
>> adding the specific user to the local administrators group. Can I do
>> this
>> with Active Directory and some sort of group policy?
>>
>> Thanks,
>>
>> eric
>
>
>
Anonymous
February 11, 2005 12:06:35 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I find that the interface is not so bad. If you are doing it from a
workstation with the Adminpak installed. From a Domain Controller it is
indeed a bit, er, convoluted!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:eWds%23P7DFHA.464@TK2MSFTNGP15.phx.gbl...
> Ah yes, the actual reason for the feature. I tend to forget about that,
> as
> it seems to be only used to add people to groups - no one seems to care
> about keeping specific groups members ;-)
>
> Good point!!!
>
>
> How's it going anyway? Has your second son come along yet?
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:eLWcNV2DFHA.3368@TK2MSFTNGP10.phx.gbl...
> But, then you loose the point of restricting which user account objects /
> group objects can be made members of what local group accounts....If you
> do
> that, then anyone can still be made a member of the local Administrators
> group.
>
> Do not get me wrong, it is still a way to accomplish what they want to
> do...just partially, though.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
>> An alternative to Restricted Groups, as the interface causes many to
>> stumble, is to use a startup script that uses the net localgroup command
>> via
>> a batch file. Something like this:
>>
>> net localgroup administrators /add DOMAIN\GroupName
>>
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
>> Eric,
>>
>> This question is asked quite often. Please take a look at Restricted
>> Groups.....
>>
>> Just remember that you want to strongly consider creating this GPO on a
>> workstation that has the ADMINPAK installed...Otherwise, have fun trying
>> to
>> figure it all out! I just about tore my hair out [ and as my wife would
>> point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on
>> a
>> Domain Controller. Possible, but really difficult. Go with the
>> workstation solution.
>>
>> Anyway, you should be doing just about all of your admin stuff on a
>> workstation, anyway ( but that is how I like to do it...the choice is
>> yours
>> and I can not tell anyone how to do things... ).
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
>> news:vQzOd.24549$uc.22528@trnddc03...
>>> Hello Active Directory,
>>>
>>> I have a win 2000 server, and would like to be able to allow a group of
>>> users to have administrator privileges (not domain administrator privs)
>>> on the work station(s) then log in to. I would like to permit admin
>>> rights on the workstation without having to go to each work station, and
>>> adding the specific user to the local administrators group. Can I do
>>> this
>>> with Active Directory and some sort of group policy?
>>>
>>> Thanks,
>>>
>>> eric
>>
>>
>>
>
>
>
!