Active Directory & local permissions in XP.

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have a Windows 2003 server with Active Directory installed on it. I'm setting up a number of Windows XP Pro clients that will join the domain. When I join the
domain with an XP client, I loose the ability to add and delete items from my start menu on the XP box. For instance, if I try to delete something out of the
startup group, I get access denied.

How can I be a normal domain user but also be admin of my local computer?

TIA
4 answers Last reply
More about active directory local permissions
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    you must add that domain user to the local Administrators group. to do that
    go to Control Panel - User Accounts (if I remember well)


    --
    Andrei Ungureanu
    www.eventid.net
    Free Windows event logs reports
    http://www.altairtech.ca/evlog/

    "Terry" <terry@noreply.com> wrote in message
    news:dvgf31pj8l21pp2in2evlsok0ina5gfg5p@4ax.com...
    >I have a Windows 2003 server with Active Directory installed on it. I'm
    >setting up a number of Windows XP Pro clients that will join the domain.
    >When I join the
    > domain with an XP client, I loose the ability to add and delete items from
    > my start menu on the XP box. For instance, if I try to delete something
    > out of the
    > startup group, I get access denied.
    >
    > How can I be a normal domain user but also be admin of my local computer?
    >
    > TIA
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    No such capability exists in that control panel applet.

    However, I was able to solve the problem through this long drawn-out process:

    · Logon as the domain user to the computer in question.
    · Click on Start, Run, and type in "runas /user:administrator mmc.exe".
    · When prompted, enter the password for the local admin.
    · In MMC, load the Computer Management snapin.
    · Add "<domain>\Domain Users" to the local administrators group. <domain> Being your domain.
    · When prompted for a domain logon, enter the domain administrator's user ID and password.
    · Reboot.

    What a frick'n major pain!

    Is there any way to push this out from the domain controller by a policy or something? I know I could probably do it with a run-once script pushed out by
    policy, but there should be something more elegant than that.


    On Wed, 16 Mar 2005 08:22:04 +0200, "Andrei Ungureanu" <andreix at msn dot com> wrote:

    >you must add that domain user to the local Administrators group. to do that
    >go to Control Panel - User Accounts (if I remember well)
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Terry,

    You can do this either by adding domain users to the local administrators
    group or by using Restricted Groups in a GPO to assign these rights.

    Remember though, that security is there for a reason and there are TONS of
    reasons not to want your normal users as Local Admins. You might try Power
    Users first before going all the way to Local Admins.

    As to the steps you are going through to set that manually, remember that
    any member of the Domain Admins group is a member of the Local Admins group
    on any member machines (unless you manually remove that). You can change
    the users' group memberships through the Computer Management applet, right
    clicking on My Computer | manage, or by command line.
    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services
    Chicago, IL

    "Terry" <terry@noreply.com> wrote in message
    news:qqmh319tifogo5lluoat4fqkfmc30qf07n@4ax.com...
    > No such capability exists in that control panel applet.
    >
    > However, I was able to solve the problem through this long drawn-out
    > process:
    >
    > · Logon as the domain user to the computer in question.
    > · Click on Start, Run, and type in "runas /user:administrator mmc.exe".
    > · When prompted, enter the password for the local admin.
    > · In MMC, load the Computer Management snapin.
    > · Add "<domain>\Domain Users" to the local administrators group. <domain>
    > Being your domain.
    > · When prompted for a domain logon, enter the domain administrator's user
    > ID and password.
    > · Reboot.
    >
    > What a frick'n major pain!
    >
    > Is there any way to push this out from the domain controller by a policy
    > or something? I know I could probably do it with a run-once script pushed
    > out by
    > policy, but there should be something more elegant than that.
    >
    >
    >
    >
    > On Wed, 16 Mar 2005 08:22:04 +0200, "Andrei Ungureanu" <andreix at msn dot
    > com> wrote:
    >
    >>you must add that domain user to the local Administrators group. to do
    >>that
    >>go to Control Panel - User Accounts (if I remember well)
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Wed, 16 Mar 2005 22:42:10 -0600, "Ryan Hanisco" <rhanisco@flagshipis.com> wrote:

    >Terry,
    >
    >You can do this either by adding domain users to the local administrators
    >group or by using Restricted Groups in a GPO to assign these rights.

    I'm not familiar with Restricted Groups. But the name seems to imply the taking away of privileges, not adding. Can you provide a link to more information?

    I recently purchased a big honk'n book on Server 2003 (I believe it's three inches thick, so it must be good) and I looked up Restricted Groups in it, but of
    course it was only mentioned in passing. However, the chapter I read did talk about Security Templates and deploying them with GPO's. Do you think this would
    also be a valid approach?

    >
    >Remember though, that security is there for a reason and there are TONS of
    >reasons not to want your normal users as Local Admins. You might try Power
    >Users first before going all the way to Local Admins.

    I'm more concerned with functionality than security on the local computer. Once everything is automated, I can rebuild a workstation in less than 30 minutes.

    >
    >As to the steps you are going through to set that manually, remember that
    >any member of the Domain Admins group is a member of the Local Admins group
    >on any member machines (unless you manually remove that). You can change
    >the users' group memberships through the Computer Management applet, right
    >clicking on My Computer | manage, or by command line.


    Thanks for the info.
Ask a new question

Read More

Domain Active Directory Windows Server 2003 Windows XP Windows