Local Administrators and Active Directory

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all
I wonder if somebody could help me.
I'm trying to create a user in AD that has rights to Administer the XP PC
he/she logs into (given local admin rights). The PC has been joined to the
domain and that AD user is logging into the domain on the XP PC.
I thought this would be a simple matter of adding that user to the
builtin\Administrators group, and then logging on, but this didn't work.
HOWEVER - If the Domain administrator account (domain.devel\Administrator)
logs into the domain on an XP PC, they have admin rights over the PC! I
cannot seem to give another user the same local rights.
So I'm wondering if anybody has a solution to this?
Thanks

Stuart Smith

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You are correct in that you need to add the domain user to the local
administrators group.

Just remember that in order to perform this task, you require a minimum of
Power User permissions on that PC.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi
Thanks for the prompt reply, but how do you grant Power User permissions to
a Domain user, there is no AD group called power users, remembering that the
domain account isn't created locally on the PC.
I suppose what we are really after is the ability for somebody to be able to
install device drivers and write to anywhere on the C drive on an XP
workstation without being able to administer AD itself, only the local PC.
Obviously Domain Admins is the group you need to add the user to for them to
administer the PC, but we definitely can't give this right to our staff
members!
Thanks

Stuart

"ptwilliams" wrote:

> You are correct in that you need to add the domain user to the local
> administrators group.
>
> Just remember that in order to perform this task, you require a minimum of
> Power User permissions on that PC.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You either logon to that box with administrative credentials and add the
groups manually, or you automate this across the enterprise.

If you go with the latter, then the most widely used options (and
recommended here) are a startup script that uses net localgroup or the
restricted groups aspect of GPO.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ahh thanks very much,
Looks like I'll start looking into Restricted groups in GPOs.
Thanks again!

Stuart

"ptwilliams" wrote:

> You either logon to that box with administrative credentials and add the
> groups manually, or you automate this across the enterprise.
>
> If you go with the latter, then the most widely used options (and
> recommended here) are a startup script that uses net localgroup or the
> restricted groups aspect of GPO.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>