Sign in with
Sign up | Sign in
Your question

Local admin rights?

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
October 25, 2004 4:07:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I have a client running a Novell and WindowsNT4.0 environment. When users
log into Novell, they are also logged onto the domain (since passwords
match). Currently, no one has local admin access to their own machine, so
they cannot install software, use Windows Update, etc. What is the easiest
way to give a user local admin rights to their own machine under WinNT4.0? I
tried creating a local account on the workstation, but then realized that the
user never logs on to this workstation account since they are authenticating
to the domain. Users need to be able to install software, use Windows
Update, etc. The only stipulation is that users should NOT be able to view
another machine's C: drive (i.e., \\machine-name\c$).

Thanks for any advice-
Shane

More about : local admin rights

Anonymous
October 25, 2004 7:14:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Add the user's domain account to the local Administrator's group on each
individual workstation. Be sure to add only the domain account of the user
who "owns" that machine, so that they cannot access each others'
information.

--
*****************
Laura E. Hunter - MVP
Replies to Newsgroup only
All advice offered as-is, no warranties expressed or implied
"Shane White" <ShaneWhite@discussions.microsoft.com> wrote in message
news:039257B8-7EA0-46EE-BDC0-2DCCD0E9F080@microsoft.com...
> Hello,
>
> I have a client running a Novell and WindowsNT4.0 environment. When users
> log into Novell, they are also logged onto the domain (since passwords
> match). Currently, no one has local admin access to their own machine, so
> they cannot install software, use Windows Update, etc. What is the
> easiest
> way to give a user local admin rights to their own machine under WinNT4.0?
> I
> tried creating a local account on the workstation, but then realized that
> the
> user never logs on to this workstation account since they are
> authenticating
> to the domain. Users need to be able to install software, use Windows
> Update, etc. The only stipulation is that users should NOT be able to
> view
> another machine's C: drive (i.e., \\machine-name\c$).
>
> Thanks for any advice-
> Shane
>
Anonymous
October 25, 2004 9:23:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

While adding a the user's domain account to the local
machine's Administrators group accomplishes your
objective, it is, IMO loosing ground. Instead, tell them
that they need to log off from their domain account and
then log in with the local account you have already
defined in order to install software, or use Windows
Update. If you have a Windows (post-NT4) server with
IIS you could consider installing a SUS server so that
the users would not need to visit Windows Update for
security patches.


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Shane White" <ShaneWhite@discussions.microsoft.com> wrote in message
news:039257B8-7EA0-46EE-BDC0-2DCCD0E9F080@microsoft.com...
> Hello,
>
> I have a client running a Novell and WindowsNT4.0 environment. When users
> log into Novell, they are also logged onto the domain (since passwords
> match). Currently, no one has local admin access to their own machine, so
> they cannot install software, use Windows Update, etc. What is the
easiest
> way to give a user local admin rights to their own machine under WinNT4.0?
I
> tried creating a local account on the workstation, but then realized that
the
> user never logs on to this workstation account since they are
authenticating
> to the domain. Users need to be able to install software, use Windows
> Update, etc. The only stipulation is that users should NOT be able to
view
> another machine's C: drive (i.e., \\machine-name\c$).
>
> Thanks for any advice-
> Shane
>
Related resources
Anonymous
October 26, 2004 9:59:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Shane White wrote:

> Hello,
>
> I have a client running a Novell and WindowsNT4.0 environment. When users
> log into Novell, they are also logged onto the domain (since passwords
> match). Currently, no one has local admin access to their own machine, so
> they cannot install software, use Windows Update, etc. What is the easiest
> way to give a user local admin rights to their own machine under WinNT4.0? I
> tried creating a local account on the workstation, but then realized that the
> user never logs on to this workstation account since they are authenticating
> to the domain. Users need to be able to install software, use Windows
> Update, etc. The only stipulation is that users should NOT be able to view
> another machine's C: drive (i.e., \\machine-name\c$).
Hi

We add "NT Authority\Interactive" in the local Administrators
group to let all domain users automatically be local admins
when they log on to a domain computer interactively.

This is more secure than adding "Authenticated Domain users ",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Anonymous
October 28, 2004 9:32:35 AM

Archived from groups: microsoft.public.win2000.security (More info?)

A small handful of users needs to be able to install
programs periodically on WinXP workstations. We have no
Windows Domain here, and by default all users are made
members of the Power Users group.

Rather than make these users members of the local
Administrators group, I was wondering if one of the local
User Right settings could be modified to allow them to
accomplish a periodic software install?


>-----Original Message-----
>Add the user's domain account to the local
Administrator's group on each
>individual workstation. Be sure to add only the domain
account of the user
>who "owns" that machine, so that they cannot access each
others'
>information.
>
>--
>*****************
>Laura E. Hunter - MVP
>Replies to Newsgroup only
>All advice offered as-is, no warranties expressed or
implied
>"Shane White" <ShaneWhite@discussions.microsoft.com>
wrote in message
>news:039257B8-7EA0-46EE-BDC0-
2DCCD0E9F080@microsoft.com...
>> Hello,
>>
>> I have a client running a Novell and WindowsNT4.0
environment. When users
>> log into Novell, they are also logged onto the domain
(since passwords
>> match). Currently, no one has local admin access to
their own machine, so
>> they cannot install software, use Windows Update,
etc. What is the
>> easiest
>> way to give a user local admin rights to their own
machine under WinNT4.0?
>> I
>> tried creating a local account on the workstation, but
then realized that
>> the
>> user never logs on to this workstation account since
they are
>> authenticating
>> to the domain. Users need to be able to install
software, use Windows
>> Update, etc. The only stipulation is that users
should NOT be able to
>> view
>> another machine's C: drive (i.e., \\machine-name\c$).
>>
>> Thanks for any advice-
>> Shane
>>
>
>
>.
>
Anonymous
October 29, 2004 6:27:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

There is not a user right that can accomplish that but if the software
install is a .msi package or can be converted into a .msi package then you
can modify the local Group Policy so that .msi applications are always
installed with elevated permissions. Local Group Policy is opened via
gpedit.msc and on a local computer will apply to ALL users that use the
computer. You would have to enable always installed with elevated
permissions in both computer and user configuration. The link below explains
more. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/libr...

"illingsk@cityofrochester.gov" <anonymous@discussions.microsoft.com> wrote
in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
>A small handful of users needs to be able to install
> programs periodically on WinXP workstations. We have no
> Windows Domain here, and by default all users are made
> members of the Power Users group.
>
> Rather than make these users members of the local
> Administrators group, I was wondering if one of the local
> User Right settings could be modified to allow them to
> accomplish a periodic software install?
>
>
>>-----Original Message-----
>>Add the user's domain account to the local
> Administrator's group on each
>>individual workstation. Be sure to add only the domain
> account of the user
>>who "owns" that machine, so that they cannot access each
> others'
>>information.
>>
>>--
>>*****************
>>Laura E. Hunter - MVP
>>Replies to Newsgroup only
>>All advice offered as-is, no warranties expressed or
> implied
>>"Shane White" <ShaneWhite@discussions.microsoft.com>
> wrote in message
>>news:039257B8-7EA0-46EE-BDC0-
> 2DCCD0E9F080@microsoft.com...
>>> Hello,
>>>
>>> I have a client running a Novell and WindowsNT4.0
> environment. When users
>>> log into Novell, they are also logged onto the domain
> (since passwords
>>> match). Currently, no one has local admin access to
> their own machine, so
>>> they cannot install software, use Windows Update,
> etc. What is the
>>> easiest
>>> way to give a user local admin rights to their own
> machine under WinNT4.0?
>>> I
>>> tried creating a local account on the workstation, but
> then realized that
>>> the
>>> user never logs on to this workstation account since
> they are
>>> authenticating
>>> to the domain. Users need to be able to install
> software, use Windows
>>> Update, etc. The only stipulation is that users
> should NOT be able to
>>> view
>>> another machine's C: drive (i.e., \\machine-name\c$).
>>>
>>> Thanks for any advice-
>>> Shane
>>>
>>
>>
>>.
>>
Anonymous
October 29, 2004 10:11:35 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks a lot Steve. This is just what I was looking for.
I simply did not know precisely what to ask for.
>-----Original Message-----
>There is not a user right that can accomplish that but
if the software
>install is a .msi package or can be converted into
a .msi package then you
>can modify the local Group Policy so that .msi
applications are always
>installed with elevated permissions. Local Group Policy
is opened via
>gpedit.msc and on a local computer will apply to ALL
users that use the
>computer. You would have to enable always installed with
elevated
>permissions in both computer and user configuration. The
link below explains
>more. --- Steve
>
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/gp/324.asp
>
>"illingsk@cityofrochester.gov"
<anonymous@discussions.microsoft.com> wrote
>in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
>>A small handful of users needs to be able to install
>> programs periodically on WinXP workstations. We have no
>> Windows Domain here, and by default all users are made
>> members of the Power Users group.
>>
>> Rather than make these users members of the local
>> Administrators group, I was wondering if one of the
local
>> User Right settings could be modified to allow them to
>> accomplish a periodic software install?
>>
>>
>>>-----Original Message-----
>>>Add the user's domain account to the local
>> Administrator's group on each
>>>individual workstation. Be sure to add only the domain
>> account of the user
>>>who "owns" that machine, so that they cannot access
each
>> others'
>>>information.
>>>
>>>--
>>>*****************
>>>Laura E. Hunter - MVP
>>>Replies to Newsgroup only
>>>All advice offered as-is, no warranties expressed or
>> implied
>>>"Shane White" <ShaneWhite@discussions.microsoft.com>
>> wrote in message
>>>news:039257B8-7EA0-46EE-BDC0-
>> 2DCCD0E9F080@microsoft.com...
>>>> Hello,
>>>>
>>>> I have a client running a Novell and WindowsNT4.0
>> environment. When users
>>>> log into Novell, they are also logged onto the domain
>> (since passwords
>>>> match). Currently, no one has local admin access to
>> their own machine, so
>>>> they cannot install software, use Windows Update,
>> etc. What is the
>>>> easiest
>>>> way to give a user local admin rights to their own
>> machine under WinNT4.0?
>>>> I
>>>> tried creating a local account on the workstation,
but
>> then realized that
>>>> the
>>>> user never logs on to this workstation account since
>> they are
>>>> authenticating
>>>> to the domain. Users need to be able to install
>> software, use Windows
>>>> Update, etc. The only stipulation is that users
>> should NOT be able to
>>>> view
>>>> another machine's C: drive (i.e., \\machine-name\c$).
>>>>
>>>> Thanks for any advice-
>>>> Shane
>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>
Anonymous
October 29, 2004 11:14:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You know, I have tried very hard to drill down to this
article in the MSDN Library though its Table of Contents
without success. I sometimes find it useful to do this so
as to identify what subtle associations the author is
making about this subject matter.

Alternatively, I can find this article by searching
for 'elevated permissions' ok.
>-----Original Message-----
>There is not a user right that can accomplish that but
if the software
>install is a .msi package or can be converted into
a .msi package then you
>can modify the local Group Policy so that .msi
applications are always
>installed with elevated permissions. Local Group Policy
is opened via
>gpedit.msc and on a local computer will apply to ALL
users that use the
>computer. You would have to enable always installed with
elevated
>permissions in both computer and user configuration. The
link below explains
>more. --- Steve
>
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/gp/324.asp
>
>"illingsk@cityofrochester.gov"
<anonymous@discussions.microsoft.com> wrote
>in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
>>A small handful of users needs to be able to install
>> programs periodically on WinXP workstations. We have no
>> Windows Domain here, and by default all users are made
>> members of the Power Users group.
>>
>> Rather than make these users members of the local
>> Administrators group, I was wondering if one of the
local
>> User Right settings could be modified to allow them to
>> accomplish a periodic software install?
>>
>>
>>>-----Original Message-----
>>>Add the user's domain account to the local
>> Administrator's group on each
>>>individual workstation. Be sure to add only the domain
>> account of the user
>>>who "owns" that machine, so that they cannot access
each
>> others'
>>>information.
>>>
>>>--
>>>*****************
>>>Laura E. Hunter - MVP
>>>Replies to Newsgroup only
>>>All advice offered as-is, no warranties expressed or
>> implied
>>>"Shane White" <ShaneWhite@discussions.microsoft.com>
>> wrote in message
>>>news:039257B8-7EA0-46EE-BDC0-
>> 2DCCD0E9F080@microsoft.com...
>>>> Hello,
>>>>
>>>> I have a client running a Novell and WindowsNT4.0
>> environment. When users
>>>> log into Novell, they are also logged onto the domain
>> (since passwords
>>>> match). Currently, no one has local admin access to
>> their own machine, so
>>>> they cannot install software, use Windows Update,
>> etc. What is the
>>>> easiest
>>>> way to give a user local admin rights to their own
>> machine under WinNT4.0?
>>>> I
>>>> tried creating a local account on the workstation,
but
>> then realized that
>>>> the
>>>> user never logs on to this workstation account since
>> they are
>>>> authenticating
>>>> to the domain. Users need to be able to install
>> software, use Windows
>>>> Update, etc. The only stipulation is that users
>> should NOT be able to
>>>> view
>>>> another machine's C: drive (i.e., \\machine-name\c$).
>>>>
>>>> Thanks for any advice-
>>>> Shane
>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>
Anonymous
October 30, 2004 12:55:52 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have not seen a lot about that either. If you want to see more info about
Windows Installer and .msi installations the link below and the section on
How Windows Installer Works may be helpful though it is geared more for a
domain environment. --- Steve

http://www.microsoft.com/resources/documentation/Window...
http://tinyurl.com/4jjt3 -- same link as above, shorter.

"illingsk@cityofrochester.gov" <anonymous@discussions.microsoft.com> wrote
in message news:292b01c4bdc1$9a67acc0$a301280a@phx.gbl...
> You know, I have tried very hard to drill down to this
> article in the MSDN Library though its Table of Contents
> without success. I sometimes find it useful to do this so
> as to identify what subtle associations the author is
> making about this subject matter.
>
> Alternatively, I can find this article by searching
> for 'elevated permissions' ok.
>>-----Original Message-----
>>There is not a user right that can accomplish that but
> if the software
>>install is a .msi package or can be converted into
> a .msi package then you
>>can modify the local Group Policy so that .msi
> applications are always
>>installed with elevated permissions. Local Group Policy
> is opened via
>>gpedit.msc and on a local computer will apply to ALL
> users that use the
>>computer. You would have to enable always installed with
> elevated
>>permissions in both computer and user configuration. The
> link below explains
>>more. --- Steve
>>
>>http://msdn.microsoft.com/library/default.asp?
> url=/library/en-us/gp/324.asp
>>
>>"illingsk@cityofrochester.gov"
> <anonymous@discussions.microsoft.com> wrote
>>in message news:234a01c4bcea$343cb760$a301280a@phx.gbl...
>>>A small handful of users needs to be able to install
>>> programs periodically on WinXP workstations. We have no
>>> Windows Domain here, and by default all users are made
>>> members of the Power Users group.
>>>
>>> Rather than make these users members of the local
>>> Administrators group, I was wondering if one of the
> local
>>> User Right settings could be modified to allow them to
>>> accomplish a periodic software install?
>>>
>>>
>>>>-----Original Message-----
>>>>Add the user's domain account to the local
>>> Administrator's group on each
>>>>individual workstation. Be sure to add only the domain
>>> account of the user
>>>>who "owns" that machine, so that they cannot access
> each
>>> others'
>>>>information.
>>>>
>>>>--
>>>>*****************
>>>>Laura E. Hunter - MVP
>>>>Replies to Newsgroup only
>>>>All advice offered as-is, no warranties expressed or
>>> implied
>>>>"Shane White" <ShaneWhite@discussions.microsoft.com>
>>> wrote in message
>>>>news:039257B8-7EA0-46EE-BDC0-
>>> 2DCCD0E9F080@microsoft.com...
>>>>> Hello,
>>>>>
>>>>> I have a client running a Novell and WindowsNT4.0
>>> environment. When users
>>>>> log into Novell, they are also logged onto the domain
>>> (since passwords
>>>>> match). Currently, no one has local admin access to
>>> their own machine, so
>>>>> they cannot install software, use Windows Update,
>>> etc. What is the
>>>>> easiest
>>>>> way to give a user local admin rights to their own
>>> machine under WinNT4.0?
>>>>> I
>>>>> tried creating a local account on the workstation,
> but
>>> then realized that
>>>>> the
>>>>> user never logs on to this workstation account since
>>> they are
>>>>> authenticating
>>>>> to the domain. Users need to be able to install
>>> software, use Windows
>>>>> Update, etc. The only stipulation is that users
>>> should NOT be able to
>>>>> view
>>>>> another machine's C: drive (i.e., \\machine-name\c$).
>>>>>
>>>>> Thanks for any advice-
>>>>> Shane
>>>>>
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>
!