We have several hundred XP PCs on campus and are quite
happy with our users connecting in restricted mode; some
are "power users" and just a few are local administrators.

However, we've had trouble in our presentation areas,
where many different users connect and often need to
quickly install software or add plug-ins, as restricted
users can not do these things.

How can I set policy on these computers so that a new
profile is given administrative privledges, instead of
being dumped into the default, restricted, group? I've
read through 100's of these posts and have throughly
scanned gpedit.msc and can't find it.

--Frank

I do not believe there is any setting for that.
However, since you do have some method to provision=20
those accounts (I assume by new profiles you mean new=20
machine local accounts, rather than first time login by an=20
already existing domain account) you could just add one=20
more line to execute such as=20
net localgroup administrators newaccount /add=20
where newaccount was just created.

However, this is quite less than optimal, as the users=20
would then be running all of the time with high privs.
You may wish to consider making one admin account=20
on the machines, and provide your users with its password=20
and info on how to use RunAs when needed (or to log in=20
with it when a more extensive install session is needed).=20

--=20
Roger=20

"Frank Olcott" > wrote in message =
...
> We have several hundred XP PCs on campus and are quite=20
> happy with our users connecting in restricted mode; some=20
> are "power users" and just a few are local administrators.
>=20
> However, we've had trouble in our presentation areas,=20
> where many different users connect and often need to=20
> quickly install software or add plug-ins, as restricted=20
> users can not do these things.
>=20
> How can I set policy on these computers so that a new=20
> profile is given administrative privledges, instead of=20
> being dumped into the default, restricted, group? I've=20
> read through 100's of these posts and have throughly=20
> scanned gpedit.msc and can't find it.
>=20
> --Frank

Yes, we do authenticate versus a PDC, so I was not able
to follow your suggestion.

I resolved it this way: inside Admin Tools | Computer
Management, I high-lighted the Groups.

I removed "Domainname\Domain Users" from the User group.
I added "Domainname\Domain Users" to the Administrators
group.

Viola!

This is not something I would reccomend across the board,
as now everyone who authenticates through our domain is a
local administrator on the PC, but in this particular
case, it fills a need, and will allow us to replace the
lingering Win98 PCs with WinXP.

--Frank

>-----Original Message-----
>I do not believe there is any setting for that.
>However, since you do have some method to provision
>those accounts (I assume by new profiles you mean new
>machine local accounts, rather than first time login by
an
>already existing domain account) you could just add one
>more line to execute such as
>net localgroup administrators newaccount /add
>where newaccount was just created.
>
>However, this is quite less than optimal, as the users
>would then be running all of the time with high privs.
>You may wish to consider making one admin account
>on the machines, and provide your users with its
password
>and info on how to use RunAs when needed (or to log in
>with it when a more extensive install session is
needed).
>
>--
>Roger
>
>"Frank Olcott" > wrote in
message ...
>> We have several hundred XP PCs on campus and are quite
>> happy with our users connecting in restricted mode;
some
>> are "power users" and just a few are local
administrators.
>>
>> However, we've had trouble in our presentation areas,
>> where many different users connect and often need to
>> quickly install software or add plug-ins, as
restricted
>> users can not do these things.
>>
>> How can I set policy on these computers so that a new
>> profile is given administrative privledges, instead of
>> being dumped into the default, restricted, group?
I've
>> read through 100's of these posts and have throughly
>> scanned gpedit.msc and can't find it.
>>
>> --Frank
>.
>

I do not believe there is any setting for that.
However, since you do have some method to provision=20
those accounts (I assume by new profiles you mean new=20
machine local accounts, rather than first time login by an=20
already existing domain account) you could just add one=20
more line to execute such as=20
net localgroup administrators newaccount /add=20
where newaccount was just created.

However, this is quite less than optimal, as the users=20
would then be running all of the time with high privs.
You may wish to consider making one admin account=20
on the machines, and provide your users with its password=20
and info on how to use RunAs when needed (or to log in=20
with it when a more extensive install session is needed).=20

--=20
Roger=20

"Frank Olcott" > wrote in message =
...
> We have several hundred XP PCs on campus and are quite=20
> happy with our users connecting in restricted mode; some=20
> are "power users" and just a few are local administrators.
>=20
> However, we've had trouble in our presentation areas,=20
> where many different users connect and often need to=20
> quickly install software or add plug-ins, as restricted=20
> users can not do these things.
>=20
> How can I set policy on these computers so that a new=20
> profile is given administrative privledges, instead of=20
> being dumped into the default, restricted, group? I've=20
> read through 100's of these posts and have throughly=20
> scanned gpedit.msc and can't find it.
>=20
> --Frank

Yes, we do authenticate versus a PDC, so I was not able
to follow your suggestion.

I resolved it this way: inside Admin Tools | Computer
Management, I high-lighted the Groups.

I removed "Domainname\Domain Users" from the User group.
I added "Domainname\Domain Users" to the Administrators
group.

Viola!

This is not something I would reccomend across the board,
as now everyone who authenticates through our domain is a
local administrator on the PC, but in this particular
case, it fills a need, and will allow us to replace the
lingering Win98 PCs with WinXP.

--Frank

>-----Original Message-----
>I do not believe there is any setting for that.
>However, since you do have some method to provision
>those accounts (I assume by new profiles you mean new
>machine local accounts, rather than first time login by
an
>already existing domain account) you could just add one
>more line to execute such as
>net localgroup administrators newaccount /add
>where newaccount was just created.
>
>However, this is quite less than optimal, as the users
>would then be running all of the time with high privs.
>You may wish to consider making one admin account
>on the machines, and provide your users with its
password
>and info on how to use RunAs when needed (or to log in
>with it when a more extensive install session is
needed).
>
>--
>Roger
>
>"Frank Olcott" > wrote in
message ...
>> We have several hundred XP PCs on campus and are quite
>> happy with our users connecting in restricted mode;
some
>> are "power users" and just a few are local
administrators.
>>
>> However, we've had trouble in our presentation areas,
>> where many different users connect and often need to
>> quickly install software or add plug-ins, as
restricted
>> users can not do these things.
>>
>> How can I set policy on these computers so that a new
>> profile is given administrative privledges, instead of
>> being dumped into the default, restricted, group?
I've
>> read through 100's of these posts and have throughly
>> scanned gpedit.msc and can't find it.
>>
>> --Frank
>.
>