June 13th, 2006, 10:37 PM
Windows Server 2000
I am having an issue with rights on my network. I have a Windows 2000 server running in Native mode which runs my dhcp and dns. My network is a small business and I kinda took on a project that I know nothing about. I have the network set up with user accounts, groups, and group policies. I can't seem to get how to make someone an admin on a local machine unless I make them domain admins. I would like to figure out how to make someone admin on the local machine without giving them access to resources across the network.
June 13th, 2006, 10:42 PM
You do that on the local machine... Place them in the administrator group for the machine... The group "Domain Admins" is automatically added when you join a computer to a domain... Anyone in that group is an admin of the machine you added... But you don't want to add them to the "domain admins" group as you already know...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 13th, 2006, 10:45 PM
I guess the next question would be, how does that work with roaming profiles? Do I need to add users as admins to all of the machines that I want them to have the rights on?
June 14th, 2006, 03:37 AM
well...you could create a group called "user admins"...then add the users you want to have local admin rights on the machines ....and add the "user admins" group to the local admin group on the local machines........
That way all the users in the users in the "user admins" group would be admins of the local machine...but not of the server\domain???
Just make sure they are not domain admins...or server admins...cause trust me ...they WILL f&ck things up.....
its easier to fix a workstation then a server
...although you do get alot of whinning
How people treat you is their karma- how you react is yours-Wayne Dyer
June 14th, 2006, 10:01 AM
If you want to keep things nice and tidy don't even make them local admin on workstations
But morganlefay's solution would be the one I would use..
Experience is something you don't get until just after you need it.
June 15th, 2006, 05:25 PM
I completely agree with keeping things tidy. My only issue is that we have a small (less than 30 people), and about 10 of these people are techs or management. I can't, and wouldn't refuse to give a tech local admin rights, I would get my @55 ripped for taking away the managers powers, but don't want anyone to have rights to access our old domain, or jack with someone else's machine as them. I don't know if that all made sense lol. I just want to limit the amount of admin rights that I give certain users, while denying others admin rights all together. Thanks so much everyone for your input. I think that I have the idea now. All that's left is the doing!
June 23rd, 2006, 03:22 PM
Hi everyone, I actually got a vb script recently that allows certain users admin rights on the machine and it works rather well. I was hoping that someone could look at the script and help me with an if.....then statement. Right now, if the user is already an admin on the machine, it gives an error that the account already exists. Here is the script.
Set fso = wscript.CreateObject("Scripting.FileSystemObject")
'On Error Resume Next
If err.number <> 0 then
'--------------------------------------------------------- Main -
Set objNet = CreateObject("WScript.Network") 'new
Dim strUser, StrGroup, oComputer, cuser
Dim oUser, oGroup, sComputerName, objNet, objnetwork, suser
suser = objnet.username
strUser = suser
strGroup = "Administrators"
sComputerName = objNet.ComputerName 'new
Set oComputer = GetObject("WinNT://" & sComputerName)
Set oUser = oComputer.Create ("User", strUser)
On Error Resume Next
oUser.Put "PasswordExpired", 1
oUser.Fullname = "Fullname"
oUser.Description = "Description"
Set oGroup = oComputer.GetObject("Group", strGroup)
wscript.echo "User [" & strUser & "] added to[" & strGroup & "] Group"
Set oUser = nothing
Set oGroup = nothing
Any help would be great!!!!
June 23rd, 2006, 07:47 PM
on the domains I've been involved with, although, not too deeply, 'we' have set each user as local admin by adding 'authenticated users' to the admin group ................
so when someone logs into a machine, and the server authenticates 'em, they can run as local admin
not great, but it is wide spread .........
not to teach granny to suck eggs, but in case it didn't make sense :
right click 'my computer' -----> manage -----> local users and groups -----> groups -----> administrators -----> add
type auth, then click 'check names' making sure the location it is 'looking' at is the local machine
it will return authenticated users
end egg sucking lesson
55 - I'm fiftyfeckinfive and STILL no wiser,
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
June 23rd, 2006, 10:31 PM
Foxy...So all your users run with NO access controls or restriction on the local pc? I couldn't sleep at night.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
June 23rd, 2006, 10:58 PM
Hi RoadClosed ,
I am familiar with the kind of environment that I believe that Foxy~ is referring to.
1. No 3.5" floppy
2. No CD/DVD
3. No USB
That sort of thing. They "technically" have admin rights but the kit restricts them. This made a lot of sense "back then" when the savings in non-essential hardware features could be diverted to RAM (expensive), HDD capacity, and software.
They could download and install stuff of permitted areas of the network, you just needed to manage the internet and e-mail.
I am referring to an era when users were expected to manage their own software (with a little technical assistance for upgrades etc.) so more of them actually needed local admin rights
You still come across it in areas like Finance, Production Engineering, CAD/CAM and so forth.