MAC Address and Admin Rights
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: MAC Address and Admin Rights

  1. #1
    Member
    Join Date
    Jan 2005
    Posts
    35

    MAC Address and Admin Rights

    Is there a way to apply admin rights to a user but only on one computer? We have Active Directory and if you give local admin rights he can still go to another computer and use the rights there. Is there a way to make it computer specific...and maybe on the other computers just a power user or general user as put out by our GPO?

    Or is this wishful thinking?

  2. #2
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    You can't just add them to the local aministrators group on that one computer? You could even do that remotely with a WMI script.

  3. #3
    Member
    Join Date
    Dec 2003
    Posts
    97
    You can do it manually, or write a script or application to do it for you.

    Group Policy will let you administer the administrators group, but the only way to do what you described would be to have a different policy for each computer...not a good idea at all.

  4. #4
    Member
    Join Date
    Jan 2005
    Posts
    35
    if in AD you add them to the local admins group and they move from one computer to another they are an admin on the other machine as well. I want to limit what certain people are doing on other machines on the network. They need to be connected to the network to get information and other such things. But what they have begun doing is installing stuff on PC's that shouldn't be installed. Am trying to stop them. My boss doesn't want to put them on their own little network. So I figure maybe there was a tool out there that would be able to group them by their mac addy and restrict them that way.

  5. #5
    Member
    Join Date
    Dec 2003
    Posts
    97
    There may be something, but I haven't seen it. If you manage your computer through group policy restricted groups (and it sounds like you do) create an exception group in your AD for that policy. Set the group policy security to deny application to all members of that group, then put these exception computers in that group. You'll still have to manually add the rights on those systems, but it's better than giving him rights to everything.

  6. #6
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by earthbound4u
    if in AD you add them to the local admins group and they move from one computer to another they are an admin on the other machine as well. I want to limit what certain people are doing on other machines on the network. They need to be connected to the network to get information and other such things. But what they have begun doing is installing stuff on PC's that shouldn't be installed. Am trying to stop them. My boss doesn't want to put them on their own little network. So I figure maybe there was a tool out there that would be able to group them by their mac addy and restrict them that way.
    I'm pretty sure that's not he way it works, it works that way if they are a domain or global admin group but a local admin is only and admin on that one computer (or ones that use the same image). At my work almost all of the computers are in AD and I'm a local admin on some and not others. Maybe we are having a terminology mix-up

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Heere is a command you can use from the command line to set up the user on that one computer. Go to that one computer, drop out to the command prompt and type:

    net localgroup administrators WhateverUserNamei /add

  8. #8
    Member
    Join Date
    Jan 2005
    Posts
    35
    well see...I am not in the domain admin's group I am only a local admin and I also can walk from computer to computer to do what I want. Granted every little thing I do is being tracked. But I still would like to stop things from happening b4 they start. Maybe they have it set up wrong. I don' tknow.

  9. #9
    Junior Member
    Join Date
    Mar 2005
    Posts
    1
    Grouping them by their MAC addresses isn't a reliable way of doing it, as a MAC address can be easily spoofed.

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    You say you have local admin rights...on the server???
    That would add you to the local administrators account on the WS connected to the domain as a domain admin.

    I have a site 2003 server...default policies are as follows....I tweak as needed

    All users are added to the domainusers group when created and that group is added to the users group of the workstations when they join the domain...very basic rights. Domain administrators are added to the workstations administrator group. If I want to accelerate the users permissions on the workstation you have to add them to the workstations administrator group...or if you want the user to have administrative accounts on ALL workstations...add them to the domain administrators account....which in turn will add them to the the all the workstations administrator group

    So if this user is administrator on all workstations...someone has deviated from the default AD setup...and added them either to a global domain account (domain admin) or added them to each workstations admin account.

    Clear as mud

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •