Local Administrators and Active Directory
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.active_directory (More info?)
Hi all
I wonder if somebody could help me.
I'm trying to create a user in AD that has rights to Administer the XP PC
he/she logs into (given local admin rights). The PC has been joined to the
domain and that AD user is logging into the domain on the XP PC.
I thought this would be a simple matter of adding that user to the
builtin\Administrators group, and then logging on, but this didn't work.
HOWEVER - If the Domain administrator account (domain.devel\Administrator)
logs into the domain on an XP PC, they have admin rights over the PC! I
cannot seem to give another user the same local rights.
So I'm wondering if anybody has a solution to this?
Thanks
Stuart Smith
Hi all
I wonder if somebody could help me.
I'm trying to create a user in AD that has rights to Administer the XP PC
he/she logs into (given local admin rights). The PC has been joined to the
domain and that AD user is logging into the domain on the XP PC.
I thought this would be a simple matter of adding that user to the
builtin\Administrators group, and then logging on, but this didn't work.
HOWEVER - If the Domain administrator account (domain.devel\Administrator)
logs into the domain on an XP PC, they have admin rights over the PC! I
cannot seem to give another user the same local rights.
So I'm wondering if anybody has a solution to this?
Thanks
Stuart Smith
More about : local administrators active directory
Archived from groups: microsoft.public.win2000.active_directory (More info?)
You are correct in that you need to add the domain user to the local
administrators group.
Just remember that in order to perform this task, you require a minimum of
Power User permissions on that PC.
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
You are correct in that you need to add the domain user to the local
administrators group.
Just remember that in order to perform this task, you require a minimum of
Power User permissions on that PC.
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Archived from groups: microsoft.public.win2000.active_directory (More info?)
Hi
Thanks for the prompt reply, but how do you grant Power User permissions to
a Domain user, there is no AD group called power users, remembering that the
domain account isn't created locally on the PC.
I suppose what we are really after is the ability for somebody to be able to
install device drivers and write to anywhere on the C drive on an XP
workstation without being able to administer AD itself, only the local PC.
Obviously Domain Admins is the group you need to add the user to for them to
administer the PC, but we definitely can't give this right to our staff
members!
Thanks
Stuart
"ptwilliams" wrote:
> You are correct in that you need to add the domain user to the local
> administrators group.
>
> Just remember that in order to perform this task, you require a minimum of
> Power User permissions on that PC.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>
Hi
Thanks for the prompt reply, but how do you grant Power User permissions to
a Domain user, there is no AD group called power users, remembering that the
domain account isn't created locally on the PC.
I suppose what we are really after is the ability for somebody to be able to
install device drivers and write to anywhere on the C drive on an XP
workstation without being able to administer AD itself, only the local PC.
Obviously Domain Admins is the group you need to add the user to for them to
administer the PC, but we definitely can't give this right to our staff
members!
Thanks
Stuart
"ptwilliams" wrote:
> You are correct in that you need to add the domain user to the local
> administrators group.
>
> Just remember that in order to perform this task, you require a minimum of
> Power User permissions on that PC.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
You either logon to that box with administrative credentials and add the
groups manually, or you automate this across the enterprise.
If you go with the latter, then the most widely used options (and
recommended here) are a startup script that uses net localgroup or the
restricted groups aspect of GPO.
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
You either logon to that box with administrative credentials and add the
groups manually, or you automate this across the enterprise.
If you go with the latter, then the most widely used options (and
recommended here) are a startup script that uses net localgroup or the
restricted groups aspect of GPO.
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Archived from groups: microsoft.public.win2000.active_directory (More info?)
Ahh thanks very much,
Looks like I'll start looking into Restricted groups in GPOs.
Thanks again!
Stuart
"ptwilliams" wrote:
> You either logon to that box with administrative credentials and add the
> groups manually, or you automate this across the enterprise.
>
> If you go with the latter, then the most widely used options (and
> recommended here) are a startup script that uses net localgroup or the
> restricted groups aspect of GPO.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>
Ahh thanks very much,
Looks like I'll start looking into Restricted groups in GPOs.
Thanks again!
Stuart
"ptwilliams" wrote:
> You either logon to that box with administrative credentials and add the
> groups manually, or you automate this across the enterprise.
>
> If you go with the latter, then the most widely used options (and
> recommended here) are a startup script that uses net localgroup or the
> restricted groups aspect of GPO.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
>
Related ressources:
- ForumActive Directory & local permissions in XP.
- ForumUse Active Directory to set work station local rights
- ForumAdd additional groups to local Administrators group on Wor..
- ForumLocal Administrators
- ForumSP2 problem: Add Domain users in the local Administrators ..
- ForumActive Directory User Groups
- ForumRun time error 75 in active directory user for windows 7
- Forumactive directory question
- ForumActive Directory / Policies questions
- ForumXP Pro - Active Directory User Unable to set Desktop
- ForumActive Directory 2003 - Restore - The system could not log..
- ForumADAM - Active Directory Application Mode
- ForumActive Directory Corrupt
- ForumProblems faced in deploying Active Directory
- ForumServer-based group policy without active directory ?
- ForumActive Directory
- ForumRemoving Active Directory
- ForumCannot recreate Active Directory records within Forward Lo..
- ForumBooting W2K Server in Active Directory Repair Mode
- ForumParallel and com ports not appearing in device manager
- More resources
!
