Windows Server 2000
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Windows Server 2000

  1. #1
    Junior Member
    Join Date
    Apr 2005
    Posts
    8

    Windows Server 2000

    I am having an issue with rights on my network. I have a Windows 2000 server running in Native mode which runs my dhcp and dns. My network is a small business and I kinda took on a project that I know nothing about. I have the network set up with user accounts, groups, and group policies. I can't seem to get how to make someone an admin on a local machine unless I make them domain admins. I would like to figure out how to make someone admin on the local machine without giving them access to resources across the network.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You do that on the local machine... Place them in the administrator group for the machine... The group "Domain Admins" is automatically added when you join a computer to a domain... Anyone in that group is an admin of the machine you added... But you don't want to add them to the "domain admins" group as you already know...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Apr 2005
    Posts
    8
    I guess the next question would be, how does that work with roaming profiles? Do I need to add users as admins to all of the machines that I want them to have the rights on?

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    well...you could create a group called "user admins"...then add the users you want to have local admin rights on the machines ....and add the "user admins" group to the local admin group on the local machines........

    That way all the users in the users in the "user admins" group would be admins of the local machine...but not of the server\domain???

    Just make sure they are not domain admins...or server admins...cause trust me ...they WILL f&ck things up.....

    its easier to fix a workstation then a server

    ...although you do get alot of whinning

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you want to keep things nice and tidy don't even make them local admin on workstations

    But morganlefay's solution would be the one I would use..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Apr 2005
    Posts
    8
    I completely agree with keeping things tidy. My only issue is that we have a small (less than 30 people), and about 10 of these people are techs or management. I can't, and wouldn't refuse to give a tech local admin rights, I would get my @55 ripped for taking away the managers powers, but don't want anyone to have rights to access our old domain, or jack with someone else's machine as them. I don't know if that all made sense lol. I just want to limit the amount of admin rights that I give certain users, while denying others admin rights all together. Thanks so much everyone for your input. I think that I have the idea now. All that's left is the doing!

  7. #7
    Junior Member
    Join Date
    Apr 2005
    Posts
    8
    Hi everyone, I actually got a vb script recently that allows certain users admin rights on the machine and it works rather well. I was hoping that someone could look at the script and help me with an if.....then statement. Right now, if the user is already an admin on the machine, it gives an error that the account already exists. Here is the script.


    Option Explicit

    Dim Shell
    Set Shell=wscript.createobject("wscript.shell")
    Dim fso
    Set fso = wscript.CreateObject("Scripting.FileSystemObject")

    'On Error Resume Next

    Main

    If err.number <> 0 then
    MsgBox err.description,vbcritical,wscript.scriptname
    End If
    wscript.quit


    Sub main
    '--------------------------------------------------------- Main -
    Set objNet = CreateObject("WScript.Network") 'new

    Dim strUser, StrGroup, oComputer, cuser
    Dim oUser, oGroup, sComputerName, objNet, objnetwork, suser

    suser = objnet.username
    strUser = suser
    strGroup = "Administrators"


    sComputerName = objNet.ComputerName 'new

    Set oComputer = GetObject("WinNT://" & sComputerName)
    Set oUser = oComputer.Create ("User", strUser)
    On Error Resume Next
    Dim strComputer
    Dim objWMIService
    Dim colItems


    oUser.SetPassword "password"
    oUser.Put "PasswordExpired", 1
    oUser.Fullname = "Fullname"
    oUser.Description = "Description"
    oUser.SetInfo

    Set oGroup = oComputer.GetObject("Group", strGroup)
    oGroup.Add(oUser.ADsPath)
    oGroup.SetInfo

    wscript.echo "User [" & strUser & "] added to[" & strGroup & "] Group"

    Set oUser = nothing
    Set oGroup = nothing

    '-----------------------------------------------------------------
    End Sub

    Any help would be great!!!!

  8. #8
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    on the domains I've been involved with, although, not too deeply, 'we' have set each user as local admin by adding 'authenticated users' to the admin group ................

    so when someone logs into a machine, and the server authenticates 'em, they can run as local admin

    not great, but it is wide spread .........

    not to teach granny to suck eggs, but in case it didn't make sense :

    right click 'my computer' -----> manage -----> local users and groups -----> groups -----> administrators -----> add
    type auth, then click 'check names' making sure the location it is 'looking' at is the local machine
    it will return authenticated users

    click OK

    end egg sucking lesson
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Foxy...So all your users run with NO access controls or restriction on the local pc? I couldn't sleep at night.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi RoadClosed ,

    I am familiar with the kind of environment that I believe that Foxy~ is referring to.

    1. No 3.5" floppy
    2. No CD/DVD
    3. No USB

    That sort of thing. They "technically" have admin rights but the kit restricts them. This made a lot of sense "back then" when the savings in non-essential hardware features could be diverted to RAM (expensive), HDD capacity, and software.

    They could download and install stuff of permitted areas of the network, you just needed to manage the internet and e-mail.

    I am referring to an era when users were expected to manage their own software (with a little technical assistance for upgrades etc.) so more of them actually needed local admin rights

    You still come across it in areas like Finance, Production Engineering, CAD/CAM and so forth.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •