Local admin rights?

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I have a client running a Novell and WindowsNT4.0 environment. When users
log into Novell, they are also logged onto the domain (since passwords
match). Currently, no one has local admin access to their own machine, so
they cannot install software, use Windows Update, etc. What is the easiest
way to give a user local admin rights to their own machine under WinNT4.0? I
tried creating a local account on the workstation, but then realized that the
user never logs on to this workstation account since they are authenticating
to the domain. Users need to be able to install software, use Windows
Update, etc. The only stipulation is that users should NOT be able to view
another machine's C: drive (i.e., \\machine-name\c$).

Thanks for any advice-
Shane
8 answers Last reply
More about local admin rights
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Add the user's domain account to the local Administrator's group on each
    individual workstation. Be sure to add only the domain account of the user
    who "owns" that machine, so that they cannot access each others'
    information.

    --
    *****************
    Laura E. Hunter - MVP
    Replies to Newsgroup only
    All advice offered as-is, no warranties expressed or implied
    "Shane White" <ShaneWhite@discussions.microsoft.com> wrote in message
    news:039257B8-7EA0-46EE-BDC0-2DCCD0E9F080@microsoft.com...
    > Hello,
    >
    > I have a client running a Novell and WindowsNT4.0 environment. When users
    > log into Novell, they are also logged onto the domain (since passwords
    > match). Currently, no one has local admin access to their own machine, so
    > they cannot install software, use Windows Update, etc. What is the
    > easiest
    > way to give a user local admin rights to their own machine under WinNT4.0?
    > I
    > tried creating a local account on the workstation, but then realized that
    > the
    > user never logs on to this workstation account since they are
    > authenticating
    > to the domain. Users need to be able to install software, use Windows
    > Update, etc. The only stipulation is that users should NOT be able to
    > view
    > another machine's C: drive (i.e., \\machine-name\c$).
    >
    > Thanks for any advice-
    > Shane
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    While adding a the user's domain account to the local
    machine's Administrators group accomplishes your
    objective, it is, IMO loosing ground. Instead, tell them
    that they need to log off from their domain account and
    then log in with the local account you have already
    defined in order to install software, or use Windows
    Update. If you have a Windows (post-NT4) server with
    IIS you could consider installing a SUS server so that
    the users would not need to visit Windows Update for
    security patches.


    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Shane White" <ShaneWhite@discussions.microsoft.com> wrote in message
    news:039257B8-7EA0-46EE-BDC0-2DCCD0E9F080@microsoft.com...
    > Hello,
    >
    > I have a client running a Novell and WindowsNT4.0 environment. When users
    > log into Novell, they are also logged onto the domain (since passwords
    > match). Currently, no one has local admin access to their own machine, so
    > they cannot install software, use Windows Update, etc. What is the
    easiest
    > way to give a user local admin rights to their own machine under WinNT4.0?
    I
    > tried creating a local account on the workstation, but then realized that
    the
    > user never logs on to this workstation account since they are
    authenticating
    > to the domain. Users need to be able to install software, use Windows
    > Update, etc. The only stipulation is that users should NOT be able to
    view
    > another machine's C: drive (i.e., \\machine-name\c$).
    >
    > Thanks for any advice-
    > Shane
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Shane White wrote:

    > Hello,
    >
    > I have a client running a Novell and WindowsNT4.0 environment. When users
    > log into Novell, they are also logged onto the domain (since passwords
    > match). Currently, no one has local admin access to their own machine, so
    > they cannot install software, use Windows Update, etc. What is the easiest
    > way to give a user local admin rights to their own machine under WinNT4.0? I
    > tried creating a local account on the workstation, but then realized that the
    > user never logs on to this workstation account since they are authenticating
    > to the domain. Users need to be able to install software, use Windows
    > Update, etc. The only stipulation is that users should NOT be able to view
    > another machine's C: drive (i.e., \\machine-name\c$).
    Hi

    We add "NT Authority\Interactive" in the local Administrators
    group to let all domain users automatically be local admins
    when they log on to a domain computer interactively.

    This is more secure than adding "Authenticated Domain users ",
    "Domain Users" or "NT AUTHORITY\Authenticated Users" because you
    avoid the issue with cross network admin rights (remote access)
    that these groups introduces.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    A small handful of users needs to be able to install
    programs periodically on WinXP workstations. We have no
    Windows Domain here, and by default all users are made
    members of the Power Users group.

    Rather than make these users members of the local
    Administrators group, I was wondering if one of the local
    User Right settings could be modified to allow them to
    accomplish a periodic software install?


    >-----Original Message-----
    >Add the user's domain account to the local
    Administrator's group on each
    >individual workstation. Be sure to add only the domain
    account of the user
    >who "owns" that machine, so that they cannot access each
    others'
    >information.
    >
    >--
    >*****************
    >Laura E. Hunter - MVP
    >Replies to Newsgroup only
    >All advice offered as-is, no warranties expressed or
    implied
    >"Shane White" <ShaneWhite@discussions.microsoft.com>
    wrote in message
    >news:039257B8-7EA0-46EE-BDC0-
    2DCCD0E9F080@microsoft.com...
    >> Hello,
    >>
    >> I have a client running a Novell and WindowsNT4.0
    environment. When users
    >> log into Novell, they are also logged onto the domain
    (since passwords
    >> match). Currently, no one has local admin access to
    their own machine, so
    >> they cannot install software, use Windows Update,
    etc. What is the
    >> easiest
    >> way to give a user local admin rights to their own
    machine under WinNT4.0?
    >> I
    >> tried creating a local account on the workstation, but
    then realized that
    >> the
    >> user never logs on to this workstation account since
    they are
    >> authenticating
    >> to the domain. Users need to be able to install
    software, use Windows
    >> Update, etc. The only stipulation is that users
    should NOT be able to
    >> view
    >> another machine's C: drive (i.e., \\machine-name\c$).
    >>
    >> Thanks for any advice-
    >> Shane
    >>
    >
    >
    >.
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    There is not a user right that can accomplish that but if the software
    install is a .msi package or can be converted into a .msi package then you
    can modify the local Group Policy so that .msi applications are always
    installed with elevated permissions. Local Group Policy is opened via
    gpedit.msc and on a local computer will apply to ALL users that use the
    computer. You would have to enable always installed with elevated
    permissions in both computer and user configuration. The link below explains
    more. --- Steve

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/324.asp

    "illingsk@cityofrochester.gov" <anonymous@discussions.microsoft.com> wrote
    in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
    >A small handful of users needs to be able to install
    > programs periodically on WinXP workstations. We have no
    > Windows Domain here, and by default all users are made
    > members of the Power Users group.
    >
    > Rather than make these users members of the local
    > Administrators group, I was wondering if one of the local
    > User Right settings could be modified to allow them to
    > accomplish a periodic software install?
    >
    >
    >>-----Original Message-----
    >>Add the user's domain account to the local
    > Administrator's group on each
    >>individual workstation. Be sure to add only the domain
    > account of the user
    >>who "owns" that machine, so that they cannot access each
    > others'
    >>information.
    >>
    >>--
    >>*****************
    >>Laura E. Hunter - MVP
    >>Replies to Newsgroup only
    >>All advice offered as-is, no warranties expressed or
    > implied
    >>"Shane White" <ShaneWhite@discussions.microsoft.com>
    > wrote in message
    >>news:039257B8-7EA0-46EE-BDC0-
    > 2DCCD0E9F080@microsoft.com...
    >>> Hello,
    >>>
    >>> I have a client running a Novell and WindowsNT4.0
    > environment. When users
    >>> log into Novell, they are also logged onto the domain
    > (since passwords
    >>> match). Currently, no one has local admin access to
    > their own machine, so
    >>> they cannot install software, use Windows Update,
    > etc. What is the
    >>> easiest
    >>> way to give a user local admin rights to their own
    > machine under WinNT4.0?
    >>> I
    >>> tried creating a local account on the workstation, but
    > then realized that
    >>> the
    >>> user never logs on to this workstation account since
    > they are
    >>> authenticating
    >>> to the domain. Users need to be able to install
    > software, use Windows
    >>> Update, etc. The only stipulation is that users
    > should NOT be able to
    >>> view
    >>> another machine's C: drive (i.e., \\machine-name\c$).
    >>>
    >>> Thanks for any advice-
    >>> Shane
    >>>
    >>
    >>
    >>.
    >>
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks a lot Steve. This is just what I was looking for.
    I simply did not know precisely what to ask for.
    >-----Original Message-----
    >There is not a user right that can accomplish that but
    if the software
    >install is a .msi package or can be converted into
    a .msi package then you
    >can modify the local Group Policy so that .msi
    applications are always
    >installed with elevated permissions. Local Group Policy
    is opened via
    >gpedit.msc and on a local computer will apply to ALL
    users that use the
    >computer. You would have to enable always installed with
    elevated
    >permissions in both computer and user configuration. The
    link below explains
    >more. --- Steve
    >
    >http://msdn.microsoft.com/library/default.asp?
    url=/library/en-us/gp/324.asp
    >
    >"illingsk@cityofrochester.gov"
    <anonymous@discussions.microsoft.com> wrote
    >in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
    >>A small handful of users needs to be able to install
    >> programs periodically on WinXP workstations. We have no
    >> Windows Domain here, and by default all users are made
    >> members of the Power Users group.
    >>
    >> Rather than make these users members of the local
    >> Administrators group, I was wondering if one of the
    local
    >> User Right settings could be modified to allow them to
    >> accomplish a periodic software install?
    >>
    >>
    >>>-----Original Message-----
    >>>Add the user's domain account to the local
    >> Administrator's group on each
    >>>individual workstation. Be sure to add only the domain
    >> account of the user
    >>>who "owns" that machine, so that they cannot access
    each
    >> others'
    >>>information.
    >>>
    >>>--
    >>>*****************
    >>>Laura E. Hunter - MVP
    >>>Replies to Newsgroup only
    >>>All advice offered as-is, no warranties expressed or
    >> implied
    >>>"Shane White" <ShaneWhite@discussions.microsoft.com>
    >> wrote in message
    >>>news:039257B8-7EA0-46EE-BDC0-
    >> 2DCCD0E9F080@microsoft.com...
    >>>> Hello,
    >>>>
    >>>> I have a client running a Novell and WindowsNT4.0
    >> environment. When users
    >>>> log into Novell, they are also logged onto the domain
    >> (since passwords
    >>>> match). Currently, no one has local admin access to
    >> their own machine, so
    >>>> they cannot install software, use Windows Update,
    >> etc. What is the
    >>>> easiest
    >>>> way to give a user local admin rights to their own
    >> machine under WinNT4.0?
    >>>> I
    >>>> tried creating a local account on the workstation,
    but
    >> then realized that
    >>>> the
    >>>> user never logs on to this workstation account since
    >> they are
    >>>> authenticating
    >>>> to the domain. Users need to be able to install
    >> software, use Windows
    >>>> Update, etc. The only stipulation is that users
    >> should NOT be able to
    >>>> view
    >>>> another machine's C: drive (i.e., \\machine-name\c$).
    >>>>
    >>>> Thanks for any advice-
    >>>> Shane
    >>>>
    >>>
    >>>
    >>>.
    >>>
    >
    >
    >.
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    You know, I have tried very hard to drill down to this
    article in the MSDN Library though its Table of Contents
    without success. I sometimes find it useful to do this so
    as to identify what subtle associations the author is
    making about this subject matter.

    Alternatively, I can find this article by searching
    for 'elevated permissions' ok.
    >-----Original Message-----
    >There is not a user right that can accomplish that but
    if the software
    >install is a .msi package or can be converted into
    a .msi package then you
    >can modify the local Group Policy so that .msi
    applications are always
    >installed with elevated permissions. Local Group Policy
    is opened via
    >gpedit.msc and on a local computer will apply to ALL
    users that use the
    >computer. You would have to enable always installed with
    elevated
    >permissions in both computer and user configuration. The
    link below explains
    >more. --- Steve
    >
    >http://msdn.microsoft.com/library/default.asp?
    url=/library/en-us/gp/324.asp
    >
    >"illingsk@cityofrochester.gov"
    <anonymous@discussions.microsoft.com> wrote
    >in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
    >>A small handful of users needs to be able to install
    >> programs periodically on WinXP workstations. We have no
    >> Windows Domain here, and by default all users are made
    >> members of the Power Users group.
    >>
    >> Rather than make these users members of the local
    >> Administrators group, I was wondering if one of the
    local
    >> User Right settings could be modified to allow them to
    >> accomplish a periodic software install?
    >>
    >>
    >>>-----Original Message-----
    >>>Add the user's domain account to the local
    >> Administrator's group on each
    >>>individual workstation. Be sure to add only the domain
    >> account of the user
    >>>who "owns" that machine, so that they cannot access
    each
    >> others'
    >>>information.
    >>>
    >>>--
    >>>*****************
    >>>Laura E. Hunter - MVP
    >>>Replies to Newsgroup only
    >>>All advice offered as-is, no warranties expressed or
    >> implied
    >>>"Shane White" <ShaneWhite@discussions.microsoft.com>
    >> wrote in message
    >>>news:039257B8-7EA0-46EE-BDC0-
    >> 2DCCD0E9F080@microsoft.com...
    >>>> Hello,
    >>>>
    >>>> I have a client running a Novell and WindowsNT4.0
    >> environment. When users
    >>>> log into Novell, they are also logged onto the domain
    >> (since passwords
    >>>> match). Currently, no one has local admin access to
    >> their own machine, so
    >>>> they cannot install software, use Windows Update,
    >> etc. What is the
    >>>> easiest
    >>>> way to give a user local admin rights to their own
    >> machine under WinNT4.0?
    >>>> I
    >>>> tried creating a local account on the workstation,
    but
    >> then realized that
    >>>> the
    >>>> user never logs on to this workstation account since
    >> they are
    >>>> authenticating
    >>>> to the domain. Users need to be able to install
    >> software, use Windows
    >>>> Update, etc. The only stipulation is that users
    >> should NOT be able to
    >>>> view
    >>>> another machine's C: drive (i.e., \\machine-name\c$).
    >>>>
    >>>> Thanks for any advice-
    >>>> Shane
    >>>>
    >>>
    >>>
    >>>.
    >>>
    >
    >
    >.
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    I have not seen a lot about that either. If you want to see more info about
    Windows Installer and .msi installations the link below and the section on
    How Windows Installer Works may be helpful though it is geared more for a
    domain environment. --- Steve

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gpswi_how.asp
    http://tinyurl.com/4jjt3 -- same link as above, shorter.

    "illingsk@cityofrochester.gov" <anonymous@discussions.microsoft.com> wrote
    in message news:292b01c4bdc1$9a67acc0$a301280a@phx.gbl...
    > You know, I have tried very hard to drill down to this
    > article in the MSDN Library though its Table of Contents
    > without success. I sometimes find it useful to do this so
    > as to identify what subtle associations the author is
    > making about this subject matter.
    >
    > Alternatively, I can find this article by searching
    > for 'elevated permissions' ok.
    >>-----Original Message-----
    >>There is not a user right that can accomplish that but
    > if the software
    >>install is a .msi package or can be converted into
    > a .msi package then you
    >>can modify the local Group Policy so that .msi
    > applications are always
    >>installed with elevated permissions. Local Group Policy
    > is opened via
    >>gpedit.msc and on a local computer will apply to ALL
    > users that use the
    >>computer. You would have to enable always installed with
    > elevated
    >>permissions in both computer and user configuration. The
    > link below explains
    >>more. --- Steve
    >>
    >>http://msdn.microsoft.com/library/default.asp?
    > url=/library/en-us/gp/324.asp
    >>
    >>"illingsk@cityofrochester.gov"
    > <anonymous@discussions.microsoft.com> wrote
    >>in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
    >>>A small handful of users needs to be able to install
    >>> programs periodically on WinXP workstations. We have no
    >>> Windows Domain here, and by default all users are made
    >>> members of the Power Users group.
    >>>
    >>> Rather than make these users members of the local
    >>> Administrators group, I was wondering if one of the
    > local
    >>> User Right settings could be modified to allow them to
    >>> accomplish a periodic software install?
    >>>
    >>>
    >>>>-----Original Message-----
    >>>>Add the user's domain account to the local
    >>> Administrator's group on each
    >>>>individual workstation. Be sure to add only the domain
    >>> account of the user
    >>>>who "owns" that machine, so that they cannot access
    > each
    >>> others'
    >>>>information.
    >>>>
    >>>>--
    >>>>*****************
    >>>>Laura E. Hunter - MVP
    >>>>Replies to Newsgroup only
    >>>>All advice offered as-is, no warranties expressed or
    >>> implied
    >>>>"Shane White" <ShaneWhite@discussions.microsoft.com>
    >>> wrote in message
    >>>>news:039257B8-7EA0-46EE-BDC0-
    >>> 2DCCD0E9F080@microsoft.com...
    >>>>> Hello,
    >>>>>
    >>>>> I have a client running a Novell and WindowsNT4.0
    >>> environment. When users
    >>>>> log into Novell, they are also logged onto the domain
    >>> (since passwords
    >>>>> match). Currently, no one has local admin access to
    >>> their own machine, so
    >>>>> they cannot install software, use Windows Update,
    >>> etc. What is the
    >>>>> easiest
    >>>>> way to give a user local admin rights to their own
    >>> machine under WinNT4.0?
    >>>>> I
    >>>>> tried creating a local account on the workstation,
    > but
    >>> then realized that
    >>>>> the
    >>>>> user never logs on to this workstation account since
    >>> they are
    >>>>> authenticating
    >>>>> to the domain. Users need to be able to install
    >>> software, use Windows
    >>>>> Update, etc. The only stipulation is that users
    >>> should NOT be able to
    >>>>> view
    >>>>> another machine's C: drive (i.e., \\machine-name\c$).
    >>>>>
    >>>>> Thanks for any advice-
    >>>>> Shane
    >>>>>
    >>>>
    >>>>
    >>>>.
    >>>>
    >>
    >>
    >>.
    >>
Ask a new question

Read More

Windows