How to set up users as admin automatically?

I want to set it up so that each user that locally logs on to the laptop
will be admin. I was going to set it up so that all authenticated
users can be admin of the laptops but I don't want that b/c that would
allow all users to open explorer and go to \\hostname\c$ and I don't
want that for EVERY user, just those that have logged into that machine.

Poohba wrote:
I want to set it up so that each user that locally logs on to the
laptop will be admin. I was going to set it up so that all
authenticated users can be admin of the laptops but I don't want
that b/c that would allow all users to open explorer and go to
\\hostname\c$ and I don't want that for EVERY user, just those that
have logged into that machine.

If the user is 'logging in locally' - that means someone created an account
for that person on the local machine. The person who setup the local
account just needs to set it up with Local Admin rights - although this is a
horrendous idea.

Do you mean something other than 'logon locally' by standard means.
(User has and is using a LOCAL account - not one in a domain...)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Shenan Stanley wrote:
Poohba wrote:
I want to set it up so that each user that locally logs on to the
laptop will be admin. I was going to set it up so that all
authenticated users can be admin of the laptops but I don't want
that b/c that would allow all users to open explorer and go to
\\hostname\c$ and I don't want that for EVERY user, just those that
have logged into that machine.

If the user is 'logging in locally' - that means someone created an account
for that person on the local machine. The person who setup the local
account just needs to set it up with Local Admin rights - although this is a
horrendous idea.

Do you mean something other than 'logon locally' by standard means.
(User has and is using a LOCAL account - not one in a domain...)


Yes. When its connected to the domain you don't need to log in
"locally". So we want the user that logs into that machine to be an
admin. I thought of creating a script but the script has to run as
admin to do so and since the script will run as the person logged it, it
won't work.

Poohba wrote:
Shenan Stanley wrote:
Poohba wrote:
I want to set it up so that each user that locally logs on to the
laptop will be admin. I was going to set it up so that all
authenticated users can be admin of the laptops but I don't want
that b/c that would allow all users to open explorer and go to
\\hostname\c$ and I don't want that for EVERY user, just those
that have logged into that machine.

If the user is 'logging in locally' - that means someone created
an account for that person on the local machine. The person who
setup the local account just needs to set it up with Local Admin
rights - although this is a horrendous idea.

Do you mean something other than 'logon locally' by standard means.
(User has and is using a LOCAL account - not one in a domain...)

Yes. When its connected to the domain you don't need to log in
"locally". So we want the user that logs into that machine to be an
admin. I thought of creating a script but the script has to run as
admin to do so and since the script will run as the person logged
it, it won't work.

In order for a user to TRULY log on locally - one has to already have an
account created on the local machine. When that account is created (it is
not 'automagically created the first time they logon') the person/script
creating the local account gets to choose what type of account that is
(administrator, limited, etc.)

Now if what you are saying is that if they take the machine away from your
LAN and log into the domain using Cached Credentials - you want to them to
be admins for as long as they are not connected to your domain... Not only
do I not believe you couldn't do this (although with some crazy startup
script - it might be possible) - I believe you shouldn't do it. If you
cannot trust them as local administrators while connected to your domain
directly - why would you trust them as administrators on any of your
machines at all?

OR - do you have something where they are logging into the domain account
(when they remember to change the domain pull-down) when they can and then
they choose the local machine and log into a different account when not
connected directly to your domain? (In which case - the first point still
applies and you would have to create the local account and could assign it
whatever rights you saw fit then.)

Perhaps you are confusing what a domain logon and local logon actually are?
A domain cached logon is still a domain logon - there is nothing 'local'
about it other than (if you don't use romaining profiles) the stored profile
data. A true local logon requires a true local account.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Users log into the domain. They need to be local admin of the machine
they are logged on to because they need to install software and/or
printers. So the users need to be added to the administrators group of
that computer. I could add AUTHENTICATED_USERS to the local
administrators group but that is not what I want because I don't want
all users having access. I don't want user1 logging into machine1 and
user2 (who has never logged into machine1) able to \\machine1\c$ ... and
have access to all those files. Sure all user2 has to do is log into
machine1 and then they would be able to do that but that isn't as easy
to do.

So. Is there a group that I can use other than AUTHENTICATED_USERS to
accomplish this task? net localgroup administrators domain/username
/add the only problem with that is that you have to already be admin to
do this.

Shenan Stanley wrote:
Poohba wrote:
Shenan Stanley wrote:
Poohba wrote:
I want to set it up so that each user that locally logs on to the
laptop will be admin. I was going to set it up so that all
authenticated users can be admin of the laptops but I don't want
that b/c that would allow all users to open explorer and go to
\\hostname\c$ and I don't want that for EVERY user, just those
that have logged into that machine.

If the user is 'logging in locally' - that means someone created
an account for that person on the local machine. The person who
setup the local account just needs to set it up with Local Admin
rights - although this is a horrendous idea.

Do you mean something other than 'logon locally' by standard means.
(User has and is using a LOCAL account - not one in a domain...)

Yes. When its connected to the domain you don't need to log in
"locally". So we want the user that logs into that machine to be an
admin. I thought of creating a script but the script has to run as
admin to do so and since the script will run as the person logged
it, it won't work.

In order for a user to TRULY log on locally - one has to already have an
account created on the local machine. When that account is created (it is
not 'automagically created the first time they logon') the person/script
creating the local account gets to choose what type of account that is
(administrator, limited, etc.)

Now if what you are saying is that if they take the machine away from your
LAN and log into the domain using Cached Credentials - you want to them to
be admins for as long as they are not connected to your domain... Not only
do I not believe you couldn't do this (although with some crazy startup
script - it might be possible) - I believe you shouldn't do it. If you
cannot trust them as local administrators while connected to your domain
directly - why would you trust them as administrators on any of your
machines at all?

OR - do you have something where they are logging into the domain account
(when they remember to change the domain pull-down) when they can and then
they choose the local machine and log into a different account when not
connected directly to your domain? (In which case - the first point still
applies and you would have to create the local account and could assign it
whatever rights you saw fit then.)

Perhaps you are confusing what a domain logon and local logon actually are?
A domain cached logon is still a domain logon - there is nothing 'local'
about it other than (if you don't use romaining profiles) the stored profile
data. A true local logon requires a true local account.

On Apr 30, 10:21 am, Poohba wrote:
Users log into the domain. They need to be local admin of the machine
they are logged on to because they need to install software and/or
printers. So the users need to be added to the administrators group of
that computer. I could add AUTHENTICATED_USERS to the local
administrators group but that is not what I want because I don't want
all users having access. I don't want user1 logging into machine1 and
user2 (who has never logged into machine1) able to \\machine1\c$ ... and
have access to all those files. Sure all user2 has to do is log into
machine1 and then they would be able to do that but that isn't as easy
to do.

So. Is there a group that I can use other than AUTHENTICATED_USERS to
accomplish this task? net localgroup administrators domain/username
/add the only problem with that is that you have to already be admin to
do this.

Shenan Stanley wrote:
Poohba wrote:
Shenan Stanley wrote:
Poohba wrote:
I want to set it up so that each user that locally logs on to the
laptop will be admin. I was going to set it up so that all
authenticated users can be admin of the laptops but I don't want
that b/c that would allow all users to open explorer and go to
\\hostname\c$ and I don't want that for EVERY user, just those
that have logged into that machine.

If the user is 'logging in locally' - that means someone created
an account for that person on the local machine. The person who
setup the local account just needs to set it up with Local Admin
rights - although this is a horrendous idea.

Do you mean something other than 'logon locally' by standard means.
(User has and is using a LOCAL account - not one in a domain...)

Yes. When its connected to the domain you don't need to log in
"locally". So we want the user that logs into that machine to be an
admin. I thought of creating a script but the script has to run as
admin to do so and since the script will run as the person logged
it, it won't work.

In order for a user to TRULY log on locally - one has to already have an
account created on the local machine. When that account is created (it is
not 'automagically created the first time they logon') the person/script
creating the local account gets to choose what type of account that is
(administrator, limited, etc.)

Now if what you are saying is that if they take the machine away from your
LAN and log into the domain using Cached Credentials - you want to them to
be admins for as long as they are not connected to your domain... Not only
do I not believe you couldn't do this (although with some crazy startup
script - it might be possible) - I believe you shouldn't do it. If you
cannot trust them as local administrators while connected to your domain
directly - why would you trust them as administrators on any of your
machines at all?

OR - do you have something where they are logging into the domain account
(when they remember to change the domain pull-down) when they can and then
they choose the local machine and log into a different account when not
connected directly to your domain? (In which case - the first point still
applies and you would have to create the local account and could assign it
whatever rights you saw fit then.)

Perhaps you are confusing what a domain logon and local logon actually are?
A domain cached logon is still a domain logon - there is nothing 'local'
about it other than (if you don't use romaining profiles) the stored profile
data. A true local logon requires a true local account.

I would create a domain security group, for example - Laptop Users, or
Laptop Admins - and add that group to your local Administrators group
on the Laptop. Then add the users who should be allowed access to the
laptop to that group.

Poohba wrote:
Users log into the domain. They need to be local admin of the
machine they are logged on to because they need to install software
and/or printers. So the users need to be added to the
administrators group of that computer. I could add
AUTHENTICATED_USERS to the local administrators group but that is
not what I want because I don't want all users having access. I
don't want user1 logging into machine1 and user2 (who has never
logged into machine1) able to \\machine1\c$ ... and have access to
all those files. Sure all user2 has to do is log into machine1 and
then they would be able to do that but that isn't as easy to do.

So. Is there a group that I can use other than AUTHENTICATED_USERS
to accomplish this task? net localgroup administrators
domain/username /add the only problem with that is that you have
to already be admin to do this.

Just make the users you want to be members of the local administrators group
of said machine members of a group in AD. Then put that AD group into the
local administrators group of the machine in question. That way you more
tightly control who actually has administrative rights.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Maybe I'm not being clear. Everyone is/should be localadmin of the
computer they are using. Any machine a user logs into they should be
made local admin of that machine. To do this I could just add
AUTHENTICATED_USERS to the local admin group but that would allow users
that never logged into that machine access to it remotely and I don't
want that. (access via \\hostname\c$) Is there another group that I
could use other than AUTHENTICATED_USERS? A group such as
DOMAIN_USERS_LOGGED_IN_LOCALLY or something like that. The thing is I
don't want to have to remote into each machine a user logs on to and
give them permission. I am doing it now and I can continue to do it but
if there is a way around it, that would be helpful.

Shenan Stanley wrote:
Poohba wrote:
Users log into the domain. They need to be local admin of the
machine they are logged on to because they need to install software
and/or printers. So the users need to be added to the
administrators group of that computer. I could add
AUTHENTICATED_USERS to the local administrators group but that is
not what I want because I don't want all users having access. I
don't want user1 logging into machine1 and user2 (who has never
logged into machine1) able to \\machine1\c$ ... and have access to
all those files. Sure all user2 has to do is log into machine1 and
then they would be able to do that but that isn't as easy to do.

So. Is there a group that I can use other than AUTHENTICATED_USERS
to accomplish this task? net localgroup administrators
domain/username /add the only problem with that is that you have
to already be admin to do this.

Just make the users you want to be members of the local administrators group
of said machine members of a group in AD. Then put that AD group into the
local administrators group of the machine in question. That way you more
tightly control who actually has administrative rights.

Poohba wrote:
Maybe I'm not being clear. Everyone is/should be localadmin of the
computer they are using. Any machine a user logs into they should
be made local admin of that machine. To do this I could just add
AUTHENTICATED_USERS to the local admin group but that would allow
users that never logged into that machine access to it remotely and
I don't want that. (access via \\hostname\c$) Is there another
group that I could use other than AUTHENTICATED_USERS? A group
such as DOMAIN_USERS_LOGGED_IN_LOCALLY or something like that. The
thing is I don't want to have to remote into each machine a user
logs on to and give them permission. I am doing it now and I can
continue to do it but if there is a way around it, that would be
helpful.

This is fairly clear:
"Everyone is/should be local admin of the computer they are using."
And bad practice.

This is fairly clear:
"Any machine a user logs into they should be made local admin of that
machine."
And bad practice.

Here's the problem you are having.
You want to limit users, but not limit them.

No - there is no 'group' you can make that would make them just a local
administrator of the machine they are currently logged into and not the
other machines who are setup the same way not be admins. There is no
simplistic way to do what you are trying to do with groups/membership in a
group - given these machines are domain machines.

There is no script to do this either - as I cannot see it being a practice
anyone would WANT to take up.

What's the point of having them be administrators on only the machine they
are on - but not any other machine on the network? They just should not be
administrators at all. If they need something installed - they *should*
have to (at least) log out and log in as a user with more rights and/or
contact an IT staffer.

You could - and this would solve your issue quite nicely - setup the Windows
Firewall on the machine and control it with group policies and not allow
file/print sharing but from a certain group of machines. In that way - no
matter that they are local admins - they cannot map a printer/file share on
another machine unless their machine is specified in the firewall settings -
which is controlled by group policy and should only contain machines your IT
staff logs into and servers they might utilize.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html