Windows Server 2000

Printable View

June 13th, 2006, 10:37 PM
Harmon

Windows Server 2000

I am having an issue with rights on my network. I have a Windows 2000 server running in Native mode which runs my dhcp and dns. My network is a small business and I kinda took on a project that I know nothing about. I have the network set up with user accounts, groups, and group policies. I can't seem to get how to make someone an admin on a local machine unless I make them domain admins. I would like to figure out how to make someone admin on the local machine without giving them access to resources across the network.
June 13th, 2006, 10:42 PM
Tiger Shark

You do that on the local machine... Place them in the administrator group for the machine... The group "Domain Admins" is automatically added when you join a computer to a domain... Anyone in that group is an admin of the machine you added... But you don't want to add them to the "domain admins" group as you already know...
June 13th, 2006, 10:45 PM
Harmon

I guess the next question would be, how does that work with roaming profiles? Do I need to add users as admins to all of the machines that I want them to have the rights on?
June 14th, 2006, 03:37 AM
morganlefay

well...you could create a group called "user admins"...then add the users you want to have local admin rights on the machines ....and add the "user admins" group to the local admin group on the local machines........

That way all the users in the users in the "user admins" group would be admins of the local machine...but not of the server\domain???

Just make sure they are not domain admins...or server admins...cause trust me ...they WILL f&ck things up..... :(

its easier to fix a workstation then a server ;)

...although you do get alot of whinning :rolleyes:

MLF
June 14th, 2006, 10:01 AM
SirDice

If you want to keep things nice and tidy don't even make them local admin on workstations ;)

But morganlefay's solution would be the one I would use..
June 15th, 2006, 05:25 PM
Harmon

I completely agree with keeping things tidy. My only issue is that we have a small (less than 30 people), and about 10 of these people are techs or management. I can't, and wouldn't refuse to give a tech local admin rights, I would get my @55 ripped for taking away the managers powers, but don't want anyone to have rights to access our old domain, or jack with someone else's machine as them. I don't know if that all made sense lol. I just want to limit the amount of admin rights that I give certain users, while denying others admin rights all together. Thanks so much everyone for your input. I think that I have the idea now. All that's left is the doing!
June 23rd, 2006, 03:22 PM
Harmon

Hi everyone, I actually got a vb script recently that allows certain users admin rights on the machine and it works rather well. I was hoping that someone could look at the script and help me with an if.....then statement. Right now, if the user is already an admin on the machine, it gives an error that the account already exists. Here is the script.

Option Explicit

Dim Shell
Set Shell=wscript.createobject("wscript.shell")
Dim fso
Set fso = wscript.CreateObject("Scripting.FileSystemObject")

'On Error Resume Next

Main

If err.number <> 0 then
MsgBox err.description,vbcritical,wscript.scriptname
End If
wscript.quit

Sub main
'--------------------------------------------------------- Main -
Set objNet = CreateObject("WScript.Network") 'new

Dim strUser, StrGroup, oComputer, cuser
Dim oUser, oGroup, sComputerName, objNet, objnetwork, suser

suser = objnet.username
strUser = suser
strGroup = "Administrators"

sComputerName = objNet.ComputerName 'new

Set oComputer = GetObject("WinNT://" & sComputerName)
Set oUser = oComputer.Create ("User", strUser)
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim colItems

oUser.SetPassword "password"
oUser.Put "PasswordExpired", 1
oUser.Fullname = "Fullname"
oUser.Description = "Description"
oUser.SetInfo

Set oGroup = oComputer.GetObject("Group", strGroup)
oGroup.Add(oUser.ADsPath)
oGroup.SetInfo

wscript.echo "User [" & strUser & "] added to[" & strGroup & "] Group"

Set oUser = nothing
Set oGroup = nothing

'-----------------------------------------------------------------
End Sub

Any help would be great!!!!
June 23rd, 2006, 07:47 PM
foxyloxley

on the domains I've been involved with, although, not too deeply, 'we' have set each user as local admin by adding 'authenticated users' to the admin group ................

so when someone logs into a machine, and the server authenticates 'em, they can run as local admin

not great, but it is wide spread .........

not to teach granny to suck eggs, but in case it didn't make sense :

right click 'my computer' -----> manage -----> local users and groups -----> groups -----> administrators -----> add
type auth, then click 'check names' making sure the location it is 'looking' at is the local machine
it will return authenticated users

click OK

end egg sucking lesson
June 23rd, 2006, 10:31 PM
RoadClosed

Foxy...So all your users run with NO access controls or restriction on the local pc? I couldn't sleep at night.
June 23rd, 2006, 10:58 PM
nihil

Hi RoadClosed ,

I am familiar with the kind of environment that I believe that Foxy~ is referring to.

1. No 3.5" floppy
2. No CD/DVD
3. No USB

That sort of thing. They "technically" have admin rights but the kit restricts them. This made a lot of sense "back then" when the savings in non-essential hardware features could be diverted to RAM (expensive), HDD capacity, and software.

They could download and install stuff of permitted areas of the network, you just needed to manage the internet and e-mail.

I am referring to an era when users were expected to manage their own software (with a little technical assistance for upgrades etc.) so more of them actually needed local admin rights ;)

You still come across it in areas like Finance, Production Engineering, CAD/CAM and so forth.
June 23rd, 2006, 11:27 PM
foxyloxley

I don't set the rules
I just follow the script :(

and, unfortunately, modern kit DOES have all the whistles and bells [USB / FDD / CD-DVD ROM]
it was / still is an easy option

it allows any user who has an account on the server, to log in and have admin rights on that machine

ANY machine in the domain :eek:

have seen and implemented it in too many places now
nothing suprises me anymore

I would have thought / hoped that there was a 'better' way that would be easier to implement that would 'filter' some accounts, and allow others

but, so far, login and be your own admin

there ARE restrictions on www usage and D/L's
but to me, the words 'stable door' and 'horses' come to mind ..............
June 27th, 2006, 02:00 PM
Harmon

Is there a way to do this without going machine to machine? Better yet, without going machine to machine as well as making everyone an admin? Is it even possible?