Use Active Directory to set work station local rights

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this with Active Directory and some sort of group policy?

Thanks,

eric
5 answers Last reply
More about active directory work station local rights
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Eric,

    This question is asked quite often. Please take a look at Restricted
    Groups.....

    Just remember that you want to strongly consider creating this GPO on a
    workstation that has the ADMINPAK installed...Otherwise, have fun trying to
    figure it all out! I just about tore my hair out [ and as my wife would
    point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
    Domain Controller. Possible, but really difficult. Go with the
    workstation solution.

    Anyway, you should be doing just about all of your admin stuff on a
    workstation, anyway ( but that is how I like to do it...the choice is yours
    and I can not tell anyone how to do things... ).

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
    news:vQzOd.24549$uc.22528@trnddc03...
    > Hello Active Directory,
    >
    > I have a win 2000 server, and would like to be able to allow a group of
    > users to have administrator privileges (not domain administrator privs)
    > on the work station(s) then log in to. I would like to permit admin
    > rights on the workstation without having to go to each work station, and
    > adding the specific user to the local administrators group. Can I do this
    > with Active Directory and some sort of group policy?
    >
    > Thanks,
    >
    > eric
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    An alternative to Restricted Groups, as the interface causes many to
    stumble, is to use a startup script that uses the net localgroup command via
    a batch file. Something like this:

    net localgroup administrators /add DOMAIN\GroupName


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
    Eric,

    This question is asked quite often. Please take a look at Restricted
    Groups.....

    Just remember that you want to strongly consider creating this GPO on a
    workstation that has the ADMINPAK installed...Otherwise, have fun trying to
    figure it all out! I just about tore my hair out [ and as my wife would
    point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
    Domain Controller. Possible, but really difficult. Go with the
    workstation solution.

    Anyway, you should be doing just about all of your admin stuff on a
    workstation, anyway ( but that is how I like to do it...the choice is yours
    and I can not tell anyone how to do things... ).

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
    news:vQzOd.24549$uc.22528@trnddc03...
    > Hello Active Directory,
    >
    > I have a win 2000 server, and would like to be able to allow a group of
    > users to have administrator privileges (not domain administrator privs)
    > on the work station(s) then log in to. I would like to permit admin
    > rights on the workstation without having to go to each work station, and
    > adding the specific user to the local administrators group. Can I do this
    > with Active Directory and some sort of group policy?
    >
    > Thanks,
    >
    > eric
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    But, then you loose the point of restricting which user account objects /
    group objects can be made members of what local group accounts....If you do
    that, then anyone can still be made a member of the local Administrators
    group.

    Do not get me wrong, it is still a way to accomplish what they want to
    do...just partially, though.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
    > An alternative to Restricted Groups, as the interface causes many to
    > stumble, is to use a startup script that uses the net localgroup command
    > via
    > a batch file. Something like this:
    >
    > net localgroup administrators /add DOMAIN\GroupName
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
    > Eric,
    >
    > This question is asked quite often. Please take a look at Restricted
    > Groups.....
    >
    > Just remember that you want to strongly consider creating this GPO on a
    > workstation that has the ADMINPAK installed...Otherwise, have fun trying
    > to
    > figure it all out! I just about tore my hair out [ and as my wife would
    > point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
    > Domain Controller. Possible, but really difficult. Go with the
    > workstation solution.
    >
    > Anyway, you should be doing just about all of your admin stuff on a
    > workstation, anyway ( but that is how I like to do it...the choice is
    > yours
    > and I can not tell anyone how to do things... ).
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
    > news:vQzOd.24549$uc.22528@trnddc03...
    >> Hello Active Directory,
    >>
    >> I have a win 2000 server, and would like to be able to allow a group of
    >> users to have administrator privileges (not domain administrator privs)
    >> on the work station(s) then log in to. I would like to permit admin
    >> rights on the workstation without having to go to each work station, and
    >> adding the specific user to the local administrators group. Can I do
    >> this
    >> with Active Directory and some sort of group policy?
    >>
    >> Thanks,
    >>
    >> eric
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ah yes, the actual reason for the feature. I tend to forget about that, as
    it seems to be only used to add people to groups - no one seems to care
    about keeping specific groups members ;-)

    Good point!!!


    How's it going anyway? Has your second son come along yet?

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:eLWcNV2DFHA.3368@TK2MSFTNGP10.phx.gbl...
    But, then you loose the point of restricting which user account objects /
    group objects can be made members of what local group accounts....If you do
    that, then anyone can still be made a member of the local Administrators
    group.

    Do not get me wrong, it is still a way to accomplish what they want to
    do...just partially, though.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
    > An alternative to Restricted Groups, as the interface causes many to
    > stumble, is to use a startup script that uses the net localgroup command
    > via
    > a batch file. Something like this:
    >
    > net localgroup administrators /add DOMAIN\GroupName
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
    > Eric,
    >
    > This question is asked quite often. Please take a look at Restricted
    > Groups.....
    >
    > Just remember that you want to strongly consider creating this GPO on a
    > workstation that has the ADMINPAK installed...Otherwise, have fun trying
    > to
    > figure it all out! I just about tore my hair out [ and as my wife would
    > point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
    > Domain Controller. Possible, but really difficult. Go with the
    > workstation solution.
    >
    > Anyway, you should be doing just about all of your admin stuff on a
    > workstation, anyway ( but that is how I like to do it...the choice is
    > yours
    > and I can not tell anyone how to do things... ).
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
    > news:vQzOd.24549$uc.22528@trnddc03...
    >> Hello Active Directory,
    >>
    >> I have a win 2000 server, and would like to be able to allow a group of
    >> users to have administrator privileges (not domain administrator privs)
    >> on the work station(s) then log in to. I would like to permit admin
    >> rights on the workstation without having to go to each work station, and
    >> adding the specific user to the local administrators group. Can I do
    >> this
    >> with Active Directory and some sort of group policy?
    >>
    >> Thanks,
    >>
    >> eric
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I find that the interface is not so bad. If you are doing it from a
    workstation with the Adminpak installed. From a Domain Controller it is
    indeed a bit, er, convoluted!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:eWds%23P7DFHA.464@TK2MSFTNGP15.phx.gbl...
    > Ah yes, the actual reason for the feature. I tend to forget about that,
    > as
    > it seems to be only used to add people to groups - no one seems to care
    > about keeping specific groups members ;-)
    >
    > Good point!!!
    >
    >
    > How's it going anyway? Has your second son come along yet?
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:eLWcNV2DFHA.3368@TK2MSFTNGP10.phx.gbl...
    > But, then you loose the point of restricting which user account objects /
    > group objects can be made members of what local group accounts....If you
    > do
    > that, then anyone can still be made a member of the local Administrators
    > group.
    >
    > Do not get me wrong, it is still a way to accomplish what they want to
    > do...just partially, though.
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com> wrote in message
    > news:uY7mFk0DFHA.3592@TK2MSFTNGP15.phx.gbl...
    >> An alternative to Restricted Groups, as the interface causes many to
    >> stumble, is to use a startup script that uses the net localgroup command
    >> via
    >> a batch file. Something like this:
    >>
    >> net localgroup administrators /add DOMAIN\GroupName
    >>
    >>
    >> --
    >>
    >> Paul Williams
    >>
    >> http://www.msresource.net/
    >> http://forums.msresource.net/
    >>
    >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    >> news:usx1%23txDFHA.2632@TK2MSFTNGP12.phx.gbl...
    >> Eric,
    >>
    >> This question is asked quite often. Please take a look at Restricted
    >> Groups.....
    >>
    >> Just remember that you want to strongly consider creating this GPO on a
    >> workstation that has the ADMINPAK installed...Otherwise, have fun trying
    >> to
    >> figure it all out! I just about tore my hair out [ and as my wife would
    >> point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on
    >> a
    >> Domain Controller. Possible, but really difficult. Go with the
    >> workstation solution.
    >>
    >> Anyway, you should be doing just about all of your admin stuff on a
    >> workstation, anyway ( but that is how I like to do it...the choice is
    >> yours
    >> and I can not tell anyone how to do things... ).
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "Eric W. Holzapfel" <e.male@verizon.net> wrote in message
    >> news:vQzOd.24549$uc.22528@trnddc03...
    >>> Hello Active Directory,
    >>>
    >>> I have a win 2000 server, and would like to be able to allow a group of
    >>> users to have administrator privileges (not domain administrator privs)
    >>> on the work station(s) then log in to. I would like to permit admin
    >>> rights on the workstation without having to go to each work station, and
    >>> adding the specific user to the local administrators group. Can I do
    >>> this
    >>> with Active Directory and some sort of group policy?
    >>>
    >>> Thanks,
    >>>
    >>> eric
    >>
    >>
    >>
    >
    >
    >
Ask a new question

Read More

Microsoft Active Directory Windows