Allow Admins to log on to W2K Desktop with Admin Rights

Archived from groups: microsoft.public.win2000.security (More info?)

We want to have our support and admin staff be able to
log onto our W2K desktops with full local administrator
rights. All other users needed to have a restricted
desktop environment. Also we need to be able to manage
these permission groups via AD. We do not want these
users to have Domain Admin rights.

Can anyone help please?
6 answers Last reply
More about allow admins desktop admin rights
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You can use Restricted Groups to create a global group which has your users that can
    be added to the local administrators group of computers in an Organizational Unit.
    See the link below for details. --- Steve

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

    "Chris" <anonymous@discussions.microsoft.com> wrote in message
    news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    > We want to have our support and admin staff be able to
    > log onto our W2K desktops with full local administrator
    > rights. All other users needed to have a restricted
    > desktop environment. Also we need to be able to manage
    > these permission groups via AD. We do not want these
    > users to have Domain Admin rights.
    >
    > Can anyone help please?
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Chris

    You need to have all your workstations under a single OU. Then, ensure you
    have a security group on the domain that has the correct membership for your
    support and admin staff.

    Then, create a new Group Policy object and set up a computer startup script
    (Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) |
    Startup

    For name, use "net" and for parameters, use "localgroup administrators
    domain\helpdesk /add"

    This will execute the command "net localgroup administrators domain\helpdesk
    /add" each time a machine affected by the policy boots.

    Be aware that if a workstation falls out of scope of your GPO, the change
    won't be removed from the machine.

    There is a feature called "restricted groups" that behaves similarly, but
    depending on OS and hotfix level it can either replace the existing
    membership or add to it. The method outlined above is safer.

    Hope this helps

    Oli


    "Chris" <anonymous@discussions.microsoft.com> wrote in message
    news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    > We want to have our support and admin staff be able to
    > log onto our W2K desktops with full local administrator
    > rights. All other users needed to have a restricted
    > desktop environment. Also we need to be able to manage
    > these permission groups via AD. We do not want these
    > users to have Domain Admin rights.
    >
    > Can anyone help please?
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Unfortunatly my original statement was not quite correct,
    we do have a number a users who require local admin
    rights to run some applications. Restricted group access
    removes all other members of that group, so this would
    not quite fit the requirement.

    Thanks for the help, any other suggestions?

    >-----Original Message-----
    >You can use Restricted Groups to create a global group
    which has your users that can
    >be added to the local administrators group of computers
    in an Organizational Unit.
    >See the link below for details. --- Steve
    >
    >http://support.microsoft.com/default.aspx?scid=KB;EN-
    US;Q320065
    >
    >"Chris" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    >> We want to have our support and admin staff be able to
    >> log onto our W2K desktops with full local administrator
    >> rights. All other users needed to have a restricted
    >> desktop environment. Also we need to be able to manage
    >> these permission groups via AD. We do not want these
    >> users to have Domain Admin rights.
    >>
    >> Can anyone help please?
    >>
    >>
    >
    >
    >.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The "net localgroup" command would have been perfect, but
    unfortunatly the group we wish to add with the domain
    name is longer than 28 characters. The command fails
    with a syntax error.

    Other than changing the name any further suggestions
    would be greatly appreciated.

    Cheers.

    >-----Original Message-----
    >Hi Chris
    >
    >You need to have all your workstations under a single
    OU. Then, ensure you
    >have a security group on the domain that has the correct
    membership for your
    >support and admin staff.
    >
    >Then, create a new Group Policy object and set up a
    computer startup script
    >(Computer Configuration | Windows Settings | Scripts
    (Startup/Shutdown) |
    >Startup
    >
    >For name, use "net" and for parameters, use "localgroup
    administrators
    >domain\helpdesk /add"
    >
    >This will execute the command "net localgroup
    administrators domain\helpdesk
    >/add" each time a machine affected by the policy boots.
    >
    >Be aware that if a workstation falls out of scope of
    your GPO, the change
    >won't be removed from the machine.
    >
    >There is a feature called "restricted groups" that
    behaves similarly, but
    >depending on OS and hotfix level it can either replace
    the existing
    >membership or add to it. The method outlined above is
    safer.
    >
    >Hope this helps
    >
    >Oli
    >
    >
    >"Chris" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    >> We want to have our support and admin staff be able to
    >> log onto our W2K desktops with full local administrator
    >> rights. All other users needed to have a restricted
    >> desktop environment. Also we need to be able to manage
    >> these permission groups via AD. We do not want these
    >> users to have Domain Admin rights.
    >>
    >> Can anyone help please?
    >>
    >>
    >
    >
    >.
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Oli's suggestion would be your other option by using the net localgroup command in a
    startup script. --- Steve

    "Chris" <anonymous@discussions.microsoft.com> wrote in message
    news:2ce7d01c46a81$3a010f90$a601280a@phx.gbl...
    > Unfortunatly my original statement was not quite correct,
    > we do have a number a users who require local admin
    > rights to run some applications. Restricted group access
    > removes all other members of that group, so this would
    > not quite fit the requirement.
    >
    > Thanks for the help, any other suggestions?
    >
    > >-----Original Message-----
    > >You can use Restricted Groups to create a global group
    > which has your users that can
    > >be added to the local administrators group of computers
    > in an Organizational Unit.
    > >See the link below for details. --- Steve
    > >
    > >http://support.microsoft.com/default.aspx?scid=KB;EN-
    > US;Q320065
    > >
    > >"Chris" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    > >> We want to have our support and admin staff be able to
    > >> log onto our W2K desktops with full local administrator
    > >> rights. All other users needed to have a restricted
    > >> desktop environment. Also we need to be able to manage
    > >> these permission groups via AD. We do not want these
    > >> users to have Domain Admin rights.
    > >>
    > >> Can anyone help please?
    > >>
    > >>
    > >
    > >
    > >.
    > >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Damn. I don't know of a way around that. You might want to try posting to
    somewhere like microsoft.public.win2000.cmdprompt.admin or
    microsoft.public.scripting.wsh in case there is another method for doing
    that.

    I'm not sure if you could do something with group nesting and use a shorter
    name for the new group.

    Regards

    Oli


    <anonymous@discussions.microsoft.com> wrote in message
    news:2d8bb01c46a82$25324240$a401280a@phx.gbl...
    > The "net localgroup" command would have been perfect, but
    > unfortunatly the group we wish to add with the domain
    > name is longer than 28 characters. The command fails
    > with a syntax error.
    >
    > Other than changing the name any further suggestions
    > would be greatly appreciated.
    >
    > Cheers.
    >
    >>-----Original Message-----
    >>Hi Chris
    >>
    >>You need to have all your workstations under a single
    > OU. Then, ensure you
    >>have a security group on the domain that has the correct
    > membership for your
    >>support and admin staff.
    >>
    >>Then, create a new Group Policy object and set up a
    > computer startup script
    >>(Computer Configuration | Windows Settings | Scripts
    > (Startup/Shutdown) |
    >>Startup
    >>
    >>For name, use "net" and for parameters, use "localgroup
    > administrators
    >>domain\helpdesk /add"
    >>
    >>This will execute the command "net localgroup
    > administrators domain\helpdesk
    >>/add" each time a machine affected by the policy boots.
    >>
    >>Be aware that if a workstation falls out of scope of
    > your GPO, the change
    >>won't be removed from the machine.
    >>
    >>There is a feature called "restricted groups" that
    > behaves similarly, but
    >>depending on OS and hotfix level it can either replace
    > the existing
    >>membership or add to it. The method outlined above is
    > safer.
    >>
    >>Hope this helps
    >>
    >>Oli
    >>
    >>
    >>"Chris" <anonymous@discussions.microsoft.com> wrote in
    > message
    >>news:2c32501c469c4$b090c280$a601280a@phx.gbl...
    >>> We want to have our support and admin staff be able to
    >>> log onto our W2K desktops with full local administrator
    >>> rights. All other users needed to have a restricted
    >>> desktop environment. Also we need to be able to manage
    >>> these permission groups via AD. We do not want these
    >>> users to have Domain Admin rights.
    >>>
    >>> Can anyone help please?
    >>>
    >>>
    >>
    >>
    >>.
    >>
Ask a new question

Read More

Security Desktops Microsoft Support Windows