Sign in with
Sign up | Sign in
Your question

problem with giving domain users local admim rights

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 27, 2005 1:51:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have server 2000 running and have created a security group with certain
users added to it.
I want these users to have local admin rights to all workstations in the
domain. So I created a logn script and added the net localgroup
"domain\group" /add, and then applied to the domain thru gpo on the logon
script part. for wahtever reason this is not adding the security group to the
local admin group on the workstation. The rest of the script works fine
though.

--
vamshi
Anonymous
a b 8 Security
January 28, 2005 12:50:34 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

vamshi wrote:
> I have server 2000 running and have created a security group with
> certain users added to it.
> I want these users to have local admin rights to all workstations in
> the domain. So I created a logn script and added the net localgroup
> "domain\group" /add, and then applied to the domain thru gpo on the
> logon script part. for wahtever reason this is not adding the
> security group to the local admin group on the workstation. The rest
> of the script works fine though.

Is the login script running under the user's credentials? They can't grant
themselves more rights than they have now.

I strongly suggest you rethink this anyway - users shouldn't have local
admin rights. Very Bad Things can happen this way.
Anonymous
a b 8 Security
January 28, 2005 9:23:03 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I applied the logon script to the OU the users are in thru gropu policy under
user config.\windows settings\logon etc.
they need admin rights because we are cconstantly evaluating new software
from companies we do business with. And also there are updates to these third
parry programs that come out on a monthly basis. This would allow users to
install stuff llike hotbar and weatherbug, but we can scan the network for
those and have users remove it. It would be less administration if users had
admin rights. and anybody that abuses those privilges will be dealt with on a
case by case basis.

Should i run this script at statup instead


"Lanwench [MVP - Exchange]" wrote:

> vamshi wrote:
> > I have server 2000 running and have created a security group with
> > certain users added to it.
> > I want these users to have local admin rights to all workstations in
> > the domain. So I created a logn script and added the net localgroup
> > "domain\group" /add, and then applied to the domain thru gpo on the
> > logon script part. for wahtever reason this is not adding the
> > security group to the local admin group on the workstation. The rest
> > of the script works fine though.
>
> Is the login script running under the user's credentials? They can't grant
> themselves more rights than they have now.
>
> I strongly suggest you rethink this anyway - users shouldn't have local
> admin rights. Very Bad Things can happen this way.
>
>
>
Related resources
Anonymous
a b 8 Security
January 28, 2005 2:04:33 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

vamshi wrote:
> I applied the logon script to the OU the users are in thru gropu
> policy under user config.\windows settings\logon etc.

OK - as said, a user cannot grant himself more permissions than he already
has.

> they need admin rights because we are cconstantly evaluating new
> software from companies we do business with. And also there are
> updates to these third parry programs that come out on a monthly
> basis. This would allow users to install stuff llike hotbar and
> weatherbug, but we can scan the network for those and have users
> remove it. It would be less administration if users had admin rights.
> and anybody that abuses those privilges will be dealt with on a case
> by case basis.
>
> Should i run this script at statup instead

You need to run it under computer, not user, I think.
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> vamshi wrote:
>>> I have server 2000 running and have created a security group with
>>> certain users added to it.
>>> I want these users to have local admin rights to all workstations in
>>> the domain. So I created a logn script and added the net localgroup
>>> "domain\group" /add, and then applied to the domain thru gpo on the
>>> logon script part. for wahtever reason this is not adding the
>>> security group to the local admin group on the workstation. The
>>> rest of the script works fine though.
>>
>> Is the login script running under the user's credentials? They can't
>> grant themselves more rights than they have now.
>>
>> I strongly suggest you rethink this anyway - users shouldn't have
>> local admin rights. Very Bad Things can happen this way.
Anonymous
a b 8 Security
January 28, 2005 10:43:58 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Lanwench, Vamsi,

comments in-line......

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:o kIIK%23VBFHA.3320@TK2MSFTNGP10.phx.gbl...
> vamshi wrote:
>> I applied the logon script to the OU the users are in thru gropu
>> policy under user config.\windows settings\logon etc.
>
> OK - as said, a user cannot grant himself more permissions than he already
> has.


Correct! Think about the consequences were this not the case. Network
Security would be a complete farce. Users would be able to make themselves
members of the local Administrators group and God knows whatelse.

This logon script would actually need to be a start up script.

And, there is a much better way to do this. Look into the Restricted Groups
GPO. Here are two MSKB Articles that will get you going:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076


>> they need admin rights because we are cconstantly evaluating new
>> software from companies we do business with. And also there are
>> updates to these third parry programs that come out on a monthly
>> basis. This would allow users to install stuff llike hotbar and
>> weatherbug, but we can scan the network for those and have users
>> remove it. It would be less administration if users had admin rights.
>> and anybody that abuses those privilges will be dealt with on a case
>> by case basis.

You might want to look into the Restricted Software GPO to help out with
this. Granted, in a WIN2000 environment there is an easy way around this
for the end-user ( simply rename the .exe or whatever ) but with WIN2003
this is not possible as a hash is used...renaming the .exe or whatever does
not make a hill of beans of difference.

You also might want to take a workstation and try to install the software on
it. Assuming that this fails then you might want to take a look at regmon
and filemon from http://www.sysinternals.com to figure out where the failure
is occuring.

>> Should i run this script at statup instead
>
> You need to run it under computer, not user, I think.
>>
>>
>> "Lanwench [MVP - Exchange]" wrote:
>>
>>> vamshi wrote:
>>>> I have server 2000 running and have created a security group with
>>>> certain users added to it.
>>>> I want these users to have local admin rights to all workstations in
>>>> the domain. So I created a logn script and added the net localgroup
>>>> "domain\group" /add, and then applied to the domain thru gpo on the
>>>> logon script part. for wahtever reason this is not adding the
>>>> security group to the local admin group on the workstation. The
>>>> rest of the script works fine though.
>>>
>>> Is the login script running under the user's credentials? They can't
>>> grant themselves more rights than they have now.
>>>
>>> I strongly suggest you rethink this anyway - users shouldn't have
>>> local admin rights. Very Bad Things can happen this way.


I will spare you the stories that I could tell you about users deleting all
of their fonts because they needed special fonts and did not want to have to
remember which ones were special or about the users who deleted a ton of
things to make room for their music files or......

I never never never encourage this and do just about everything to prevent
this. Domain user account objects should be in the USERS or at most POWER
USERS local groups....no more.
Anonymous
a b 8 Security
January 28, 2005 10:46:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Lanwench MVP - Exc" wrote:
> vamshi wrote:
> > I applied the logon script to the OU the users are in thru
> gropu
> > policy under user config.windows settingslogon etc.
>
> OK - as said, a user cannot grant himself more permissions
> than he already
> has.
>
> > they need admin rights because we are cconstantly evaluating
> new
> > software from companies we do business with. And also there
> are
> > updates to these third parry programs that come out on a
> monthly
> > basis. This would allow users to install stuff llike hotbar
> and
> > weatherbug, but we can scan the network for those and have
> users
> > remove it. It would be less administration if users had
> admin rights.
> > and anybody that abuses those privilges will be dealt with
> on a case
> > by case basis.
> >
> > Should i run this script at statup instead
>
> You need to run it under computer, not user, I think.
> >
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
>  >> vamshi wrote:
>   >>> I have server 2000 running and have created a
> security group with
>   >>> certain users added to it.
>   >>> I want these users to have local admin rights
> to all workstations in
>   >>> the domain. So I created a logn script and
> added the net localgroup
>   >>> "domaingroup" /add, and then applied to the
> domain thru gpo on the
>   >>> logon script part. for wahtever reason this is
> not adding the
>   >>> security group to the local admin group on
> the workstation. The
>   >>> rest of the script works fine though.
>  >>
>  >> Is the login script running under the user's
> credentials? They can't
>  >> grant themselves more rights than they have now.
>  >>
>  >> I strongly suggest you rethink this anyway - users
> shouldn't have
>  >> local admin rights. Very Bad Things can happen this
> way.

Hi,

You need to investigate Restricted Groups. Here you can add domain
accounts to local accounts on machines. A script won’t do that I am
afraid.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-problem-givin...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=796060
Anonymous
a b 8 Security
January 28, 2005 11:26:19 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41fadccb$1_4@alt.athenanews.com...
> "Lanwench MVP - Exc" wrote:
> > vamshi wrote:
> > > I applied the logon script to the OU the users are in thru
> > gropu
> > > policy under user config.windows settingslogon etc.
> >
> > OK - as said, a user cannot grant himself more permissions
> > than he already
> > has.
> >
> > > they need admin rights because we are cconstantly evaluating
> > new
> > > software from companies we do business with. And also there
> > are
> > > updates to these third parry programs that come out on a
> > monthly
> > > basis. This would allow users to install stuff llike hotbar
> > and
> > > weatherbug, but we can scan the network for those and have
> > users
> > > remove it. It would be less administration if users had
> > admin rights.
> > > and anybody that abuses those privilges will be dealt with
> > on a case
> > > by case basis.
> > >
> > > Should i run this script at statup instead
> >
> > You need to run it under computer, not user, I think.
> > >
> > >
> > > "Lanwench [MVP - Exchange]" wrote:
> > >
>
> Hi,
>
> You need to investigate Restricted Groups. Here you can add domain
> accounts to local accounts on machines. A script won't do that I am
> afraid.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-problem-givin...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=796060
Anonymous
a b 8 Security
January 28, 2005 11:37:12 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can use a script to add domain user/group to the local administrators
group of domain computers using the "net localgroup" command. It must
however be a startup script which will then run in system context. It works
well in situations where you do not want to use restricted groups due to the
fact that it may remove all current users/groups in the local administrators
group of the domain computer. --- Steve


"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41fadccb$1_4@alt.athenanews.com...
> "Lanwench MVP - Exc" wrote:
> > vamshi wrote:
> > > I applied the logon script to the OU the users are in thru
> > gropu
> > > policy under user config.windows settingslogon etc.
> >
> > OK - as said, a user cannot grant himself more permissions
> > than he already
> > has.
> >
> > > they need admin rights because we are cconstantly evaluating
> > new
> > > software from companies we do business with. And also there
> > are
> > > updates to these third parry programs that come out on a
> > monthly
> > > basis. This would allow users to install stuff llike hotbar
> > and
> > > weatherbug, but we can scan the network for those and have
> > users
> > > remove it. It would be less administration if users had
> > admin rights.
> > > and anybody that abuses those privilges will be dealt with
> > on a case
> > > by case basis.
> > >
> > > Should i run this script at statup instead
> >
> > You need to run it under computer, not user, I think.
> > >
> > >
> > > "Lanwench [MVP - Exchange]" wrote:
> > >
> > way.
>
> Hi,
>
> You need to investigate Restricted Groups. Here you can add domain
> accounts to local accounts on machines. A script won't do that I am
> afraid.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-problem-givin...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=796060
Anonymous
a b 8 Security
January 29, 2005 12:40:20 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Steven,

But only if you have not used the fix in 810076! I personally like the
control that RG gives you. But, you are correct. The startup script could
be easier to set up for those who are less inclined to jump into something
like RG.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:o XLhCtaBFHA.3924@TK2MSFTNGP10.phx.gbl...
> You can use a script to add domain user/group to the local administrators
> group of domain computers using the "net localgroup" command. It must
> however be a startup script which will then run in system context. It
> works well in situations where you do not want to use restricted groups
> due to the fact that it may remove all current users/groups in the local
> administrators group of the domain computer. --- Steve
>
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:41fadccb$1_4@alt.athenanews.com...
>> "Lanwench MVP - Exc" wrote:
>> > vamshi wrote:
>> > > I applied the logon script to the OU the users are in thru
>> > gropu
>> > > policy under user config.windows settingslogon etc.
>> >
>> > OK - as said, a user cannot grant himself more permissions
>> > than he already
>> > has.
>> >
>> > > they need admin rights because we are cconstantly evaluating
>> > new
>> > > software from companies we do business with. And also there
>> > are
>> > > updates to these third parry programs that come out on a
>> > monthly
>> > > basis. This would allow users to install stuff llike hotbar
>> > and
>> > > weatherbug, but we can scan the network for those and have
>> > users
>> > > remove it. It would be less administration if users had
>> > admin rights.
>> > > and anybody that abuses those privilges will be dealt with
>> > on a case
>> > > by case basis.
>> > >
>> > > Should i run this script at statup instead
>> >
>> > You need to run it under computer, not user, I think.
>> > >
>> > >
>> > > "Lanwench [MVP - Exchange]" wrote:
>> > >
>> > way.
>>
>> Hi,
>>
>> You need to investigate Restricted Groups. Here you can add domain
>> accounts to local accounts on machines. A script won't do that I am
>> afraid.
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the http://www.windowsforumz.com interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.windowsforumz.com/Group-Policy-problem-givin...
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.windowsforumz.com/eform.php?p=796060
>
>
!