Sign in with
Sign up | Sign in
Your question

Active Directory & local permissions in XP.

Last response: in Windows 2000/NT
Share
March 16, 2005 2:36:34 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have a Windows 2003 server with Active Directory installed on it. I'm setting up a number of Windows XP Pro clients that will join the domain. When I join the
domain with an XP client, I loose the ability to add and delete items from my start menu on the XP box. For instance, if I try to delete something out of the
startup group, I get access denied.

How can I be a normal domain user but also be admin of my local computer?

TIA
Anonymous
March 16, 2005 11:22:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

you must add that domain user to the local Administrators group. to do that
go to Control Panel - User Accounts (if I remember well)


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"Terry" <terry@noreply.com> wrote in message
news:D vgf31pj8l21pp2in2evlsok0ina5gfg5p@4ax.com...
>I have a Windows 2003 server with Active Directory installed on it. I'm
>setting up a number of Windows XP Pro clients that will join the domain.
>When I join the
> domain with an XP client, I loose the ability to add and delete items from
> my start menu on the XP box. For instance, if I try to delete something
> out of the
> startup group, I get access denied.
>
> How can I be a normal domain user but also be admin of my local computer?
>
> TIA
>
March 16, 2005 10:33:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No such capability exists in that control panel applet.

However, I was able to solve the problem through this long drawn-out process:

· Logon as the domain user to the computer in question.
· Click on Start, Run, and type in "runas /user:administrator mmc.exe".
· When prompted, enter the password for the local admin.
· In MMC, load the Computer Management snapin.
· Add "<domain>\Domain Users" to the local administrators group. <domain> Being your domain.
· When prompted for a domain logon, enter the domain administrator's user ID and password.
· Reboot.

What a frick'n major pain!

Is there any way to push this out from the domain controller by a policy or something? I know I could probably do it with a run-once script pushed out by
policy, but there should be something more elegant than that.




On Wed, 16 Mar 2005 08:22:04 +0200, "Andrei Ungureanu" <andreix at msn dot com> wrote:

>you must add that domain user to the local Administrators group. to do that
>go to Control Panel - User Accounts (if I remember well)
Related resources
Anonymous
March 17, 2005 1:42:10 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Terry,

You can do this either by adding domain users to the local administrators
group or by using Restricted Groups in a GPO to assign these rights.

Remember though, that security is there for a reason and there are TONS of
reasons not to want your normal users as Local Admins. You might try Power
Users first before going all the way to Local Admins.

As to the steps you are going through to set that manually, remember that
any member of the Domain Admins group is a member of the Local Admins group
on any member machines (unless you manually remove that). You can change
the users' group memberships through the Computer Management applet, right
clicking on My Computer | manage, or by command line.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Terry" <terry@noreply.com> wrote in message
news:qqmh319tifogo5lluoat4fqkfmc30qf07n@4ax.com...
> No such capability exists in that control panel applet.
>
> However, I was able to solve the problem through this long drawn-out
> process:
>
> · Logon as the domain user to the computer in question.
> · Click on Start, Run, and type in "runas /user:administrator mmc.exe".
> · When prompted, enter the password for the local admin.
> · In MMC, load the Computer Management snapin.
> · Add "<domain>\Domain Users" to the local administrators group. <domain>
> Being your domain.
> · When prompted for a domain logon, enter the domain administrator's user
> ID and password.
> · Reboot.
>
> What a frick'n major pain!
>
> Is there any way to push this out from the domain controller by a policy
> or something? I know I could probably do it with a run-once script pushed
> out by
> policy, but there should be something more elegant than that.
>
>
>
>
> On Wed, 16 Mar 2005 08:22:04 +0200, "Andrei Ungureanu" <andreix at msn dot
> com> wrote:
>
>>you must add that domain user to the local Administrators group. to do
>>that
>>go to Control Panel - User Accounts (if I remember well)
>
March 17, 2005 3:30:50 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Wed, 16 Mar 2005 22:42:10 -0600, "Ryan Hanisco" <rhanisco@flagshipis.com> wrote:

>Terry,
>
>You can do this either by adding domain users to the local administrators
>group or by using Restricted Groups in a GPO to assign these rights.

I'm not familiar with Restricted Groups. But the name seems to imply the taking away of privileges, not adding. Can you provide a link to more information?

I recently purchased a big honk'n book on Server 2003 (I believe it's three inches thick, so it must be good) and I looked up Restricted Groups in it, but of
course it was only mentioned in passing. However, the chapter I read did talk about Security Templates and deploying them with GPO's. Do you think this would
also be a valid approach?

>
>Remember though, that security is there for a reason and there are TONS of
>reasons not to want your normal users as Local Admins. You might try Power
>Users first before going all the way to Local Admins.

I'm more concerned with functionality than security on the local computer. Once everything is automated, I can rebuild a workstation in less than 30 minutes.

>
>As to the steps you are going through to set that manually, remember that
>any member of the Domain Admins group is a member of the Local Admins group
>on any member machines (unless you manually remove that). You can change
>the users' group memberships through the Computer Management applet, right
>clicking on My Computer | manage, or by command line.


Thanks for the info.
!