administrator rights for computer

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,
I have a normal user who logs on to a 2003 server network which has group
policies set.
I have a program that requires administrator rights to the workstation in
order to run.
If I assign adminstrator rights to the domain user at the workstation level
(user accounts)then the user also has administrartor rights to the domain.
How can I assign workstation administrator rights to the domain user but not
domain administrator rights?
I want this user to get all the gp's set.
Thanks in advance for any help
Sher
5 answers Last reply
More about administrator rights computer
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Add their domain account to the local administrator group of their computer.

    Use users and groups on their computer, select the Administrator group and
    add their domain account to that group by selecting their name from the list
    of domain users (not local users).


    hth
    DDS W 2k MVP MCSE

    "Sher" <Sher@discussions.microsoft.com> wrote in message
    news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
    > Hi all,
    > I have a normal user who logs on to a 2003 server network which has group
    > policies set.
    > I have a program that requires administrator rights to the workstation in
    > order to run.
    > If I assign adminstrator rights to the domain user at the workstation
    > level
    > (user accounts)then the user also has administrartor rights to the domain.
    > How can I assign workstation administrator rights to the domain user but
    > not
    > domain administrator rights?
    > I want this user to get all the gp's set.
    > Thanks in advance for any help
    > Sher
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Danny,
    If I do this, then the domain user is added as the administrator of the
    domain also which I do not want. I only want the domain user to have local
    administrator rights.
    Sher

    "Danny Sanders" wrote:

    > Add their domain account to the local administrator group of their computer.
    >
    > Use users and groups on their computer, select the Administrator group and
    > add their domain account to that group by selecting their name from the list
    > of domain users (not local users).
    >
    >
    >
    >
    > hth
    > DDS W 2k MVP MCSE
    >
    > "Sher" <Sher@discussions.microsoft.com> wrote in message
    > news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
    > > Hi all,
    > > I have a normal user who logs on to a 2003 server network which has group
    > > policies set.
    > > I have a program that requires administrator rights to the workstation in
    > > order to run.
    > > If I assign adminstrator rights to the domain user at the workstation
    > > level
    > > (user accounts)then the user also has administrartor rights to the domain.
    > > How can I assign workstation administrator rights to the domain user but
    > > not
    > > domain administrator rights?
    > > I want this user to get all the gp's set.
    > > Thanks in advance for any help
    > > Sher
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    You can not add a user to the domain admin group from their computer. There
    is no domain admin group on their computer. To add them to the domain admin
    group you have to do that on the server.


    Adding their domain account to the local administrator group will result in
    the user logging on with their domain account and being administrator of the
    local computer.


    hth
    DDS W 2k MVP MCSE

    "Sher" <Sher@discussions.microsoft.com> wrote in message
    news:85287DBA-3B61-4381-802B-831478E29CBA@microsoft.com...
    > Hi Danny,
    > If I do this, then the domain user is added as the administrator of the
    > domain also which I do not want. I only want the domain user to have
    > local
    > administrator rights.
    > Sher
    >
    > "Danny Sanders" wrote:
    >
    >> Add their domain account to the local administrator group of their
    >> computer.
    >>
    >> Use users and groups on their computer, select the Administrator group
    >> and
    >> add their domain account to that group by selecting their name from the
    >> list
    >> of domain users (not local users).
    >>
    >>
    >>
    >>
    >> hth
    >> DDS W 2k MVP MCSE
    >>
    >> "Sher" <Sher@discussions.microsoft.com> wrote in message
    >> news:E352FA92-4BC5-43B4-AC75-14741297B406@microsoft.com...
    >> > Hi all,
    >> > I have a normal user who logs on to a 2003 server network which has
    >> > group
    >> > policies set.
    >> > I have a program that requires administrator rights to the workstation
    >> > in
    >> > order to run.
    >> > If I assign adminstrator rights to the domain user at the workstation
    >> > level
    >> > (user accounts)then the user also has administrartor rights to the
    >> > domain.
    >> > How can I assign workstation administrator rights to the domain user
    >> > but
    >> > not
    >> > domain administrator rights?
    >> > I want this user to get all the gp's set.
    >> > Thanks in advance for any help
    >> > Sher
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Was wondering..
    Is there a way of having an AD group called 'Local PC Admin' where one
    may add domain users as members, then whichever PC these users log
    into, they obtain 'Local PC Administrator rights' on that PC during
    their session.?
    Same as the Domain Admins group members can.. only they get domain
    admin rights obviously..
    This would save having to know the username for each PC and users could
    move around as they do..
    AJ


    --
    APJ
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1808657.html
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    You could use Group Policy Restricted Groups and the "member of" option for
    Windows 2000 computers using at least SP4 and XP Pro/2003 computers. When
    doing this you need to create an OU with a Group Policy linked to it that
    has Restricted Groups configured. Then move the computers [NOT domain
    controllers however] that you want to add the global group to the local
    administrators group on into that OU. You can also use Restricted Groups to
    managed domain groups and you would want to do that on the domain
    controllers container. I would consider domain admins to be a very sensitive
    group and would consider Restricted Groups to enforce membership of that
    group. You should not need very many members of the domain admins group as
    much can be done with AD delegation in a domain. --- Steve

    http://support.microsoft.com/default.aspx?kbid=810076 --- Resricted Groups
    member of
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
    --- Restricted Groups

    "APJ" <APJ.1vciu1@mail.mcse.ms> wrote in message
    news:APJ.1vciu1@mail.mcse.ms...
    >
    > Was wondering..
    > Is there a way of having an AD group called 'Local PC Admin' where one
    > may add domain users as members, then whichever PC these users log
    > into, they obtain 'Local PC Administrator rights' on that PC during
    > their session.?
    > Same as the Domain Admins group members can.. only they get domain
    > admin rights obviously..
    > This would save having to know the username for each PC and users could
    > move around as they do..
    > AJ
    >
    >
    >
    > --
    > APJ
    > ------------------------------------------------------------------------
    > Posted via http://www.mcse.ms
    > ------------------------------------------------------------------------
    > View this thread: http://www.mcse.ms/message1808657.html
    >
Ask a new question

Read More

Domain Computers Workstations Windows