Dymanic Local Administrator / PowerUser

[stefan]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I have a Windows 2003 Active Directory network with one domain.
We're planning to roll out Windows XP pc's in te near future (now all
pc's are Windows 98).

What I would like to accomplish is 'dynamic local administrator',
which is derived from Novell ZenWorks (dynamic local user).

I would like a normal user to logon on a Windows XP workstation, at
the moment he/she logs in it must be added to the local
Administrator/Poweruser group and this rights have to be active
immediately. Also at logoff these rights must be removed (or all but
the current user should be removed at logon).

I know I can create a domain group, put all users in them, and connect
the domain group, to all local Administrators groups, but this will
give all the users administrator rights on all pc's simultaneously
(like admin shares).

Also, I could put the user John in the local Adminsitrators group of
his pc, and Peter in his etc. etc. But I have roaming users.

So can anyone please help me.
Thank you.
Stefan
s.petersNOSPAM@NOSPAM.microway.nl

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The only way I know that you could do this was to write two scripts one at
logon and one at logoff. This would add or remove the users account from
the local group.

Check this site I think it is what you are looking for.
http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Stefan" <stefanNOSPAM@NOSPAManykey.xs4all.nl> wrote in message
news:vnre21508cqv8t4p6f2c75rbpl9slpufij@4ax.com...
> Hello,
>
> I have a Windows 2003 Active Directory network with one domain.
> We're planning to roll out Windows XP pc's in te near future (now all
> pc's are Windows 98).
>
> What I would like to accomplish is 'dynamic local administrator',
> which is derived from Novell ZenWorks (dynamic local user).
>
> I would like a normal user to logon on a Windows XP workstation, at
> the moment he/she logs in it must be added to the local
> Administrator/Poweruser group and this rights have to be active
> immediately. Also at logoff these rights must be removed (or all but
> the current user should be removed at logon).
>
> I know I can create a domain group, put all users in them, and connect
> the domain group, to all local Administrators groups, but this will
> give all the users administrator rights on all pc's simultaneously
> (like admin shares).
>
> Also, I could put the user John in the local Adminsitrators group of
> his pc, and Peter in his etc. etc. But I have roaming users.
>
> So can anyone please help me.
> Thank you.
> Stefan
> s.petersNOSPAM@NOSPAM.microway.nl
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Why does the security token need to be removed after logoff? Is there a
security risk?

Thanks,
Christopher Ransom, MCSE 2000/2003, MCSA 2000/2003, CCNA
Microsoft Enterprise Platforms Support
Windows NT/Windows 2000 Directory Services

"Paul Bergson" wrote:

> The only way I know that you could do this was to write two scripts one at
> logon and one at logoff. This would add or remove the users account from
> the local group.
>
> Check this site I think it is what you are looking for.
> http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
>
> --
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> "Stefan" <stefanNOSPAM@NOSPAManykey.xs4all.nl> wrote in message
> news:vnre21508cqv8t4p6f2c75rbpl9slpufij@4ax.com...
> > Hello,
> >
> > I have a Windows 2003 Active Directory network with one domain.
> > We're planning to roll out Windows XP pc's in te near future (now all
> > pc's are Windows 98).
> >
> > What I would like to accomplish is 'dynamic local administrator',
> > which is derived from Novell ZenWorks (dynamic local user).
> >
> > I would like a normal user to logon on a Windows XP workstation, at
> > the moment he/she logs in it must be added to the local
> > Administrator/Poweruser group and this rights have to be active
> > immediately. Also at logoff these rights must be removed (or all but
> > the current user should be removed at logon).
> >
> > I know I can create a domain group, put all users in them, and connect
> > the domain group, to all local Administrators groups, but this will
> > give all the users administrator rights on all pc's simultaneously
> > (like admin shares).
> >
> > Also, I could put the user John in the local Adminsitrators group of
> > his pc, and Peter in his etc. etc. But I have roaming users.
> >
> > So can anyone please help me.
> > Thank you.
> > Stefan
> > s.petersNOSPAM@NOSPAM.microway.nl
> >
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Actually I don't think that process would work because by the time the logon
script is run, the user already has their token.

A possible solution if it fits the security needs is to add the security
principal INTERACTIVE to the administrators groups. This would make it so anyone
that logs on interactively would have admin rights.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Paul Bergson wrote:
> The only way I know that you could do this was to write two scripts one at
> logon and one at logoff. This would add or remove the users account from
> the local group.
>
> Check this site I think it is what you are looking for.
> http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
>