If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
How to set up users as admin automatically?
I want to set it up so that each user that locally logs on to the laptop
will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. |
Ads |
#2
|
|||
|
|||
How to set up users as admin automatically?
Poohba wrote:
I want to set it up so that each user that locally logs on to the laptop will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. If the user is 'logging in locally' - that means someone created an account for that person on the local machine. The person who setup the local account just needs to set it up with Local Admin rights - although this is a horrendous idea. Do you mean something other than 'logon locally' by standard means. (User has and is using a LOCAL account - not one in a domain...) -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#3
|
|||
|
|||
How to set up users as admin automatically?
Shenan Stanley wrote:
Poohba wrote: I want to set it up so that each user that locally logs on to the laptop will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. If the user is 'logging in locally' - that means someone created an account for that person on the local machine. The person who setup the local account just needs to set it up with Local Admin rights - although this is a horrendous idea. Do you mean something other than 'logon locally' by standard means. (User has and is using a LOCAL account - not one in a domain...) Yes. When its connected to the domain you don't need to log in "locally". So we want the user that logs into that machine to be an admin. I thought of creating a script but the script has to run as admin to do so and since the script will run as the person logged it, it won't work. |
#4
|
|||
|
|||
How to set up users as admin automatically?
Poohba wrote:
Shenan Stanley wrote: Poohba wrote: I want to set it up so that each user that locally logs on to the laptop will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. If the user is 'logging in locally' - that means someone created an account for that person on the local machine. The person who setup the local account just needs to set it up with Local Admin rights - although this is a horrendous idea. Do you mean something other than 'logon locally' by standard means. (User has and is using a LOCAL account - not one in a domain...) Yes. When its connected to the domain you don't need to log in "locally". So we want the user that logs into that machine to be an admin. I thought of creating a script but the script has to run as admin to do so and since the script will run as the person logged it, it won't work. In order for a user to TRULY log on locally - one has to already have an account created on the local machine. When that account is created (it is not 'automagically created the first time they logon') the person/script creating the local account gets to choose what type of account that is (administrator, limited, etc.) Now if what you are saying is that if they take the machine away from your LAN and log into the domain using Cached Credentials - you want to them to be admins for as long as they are not connected to your domain... Not only do I not believe you couldn't do this (although with some crazy startup script - it might be possible) - I believe you shouldn't do it. If you cannot trust them as local administrators while connected to your domain directly - why would you trust them as administrators on any of your machines at all? OR - do you have something where they are logging into the domain account (when they remember to change the domain pull-down) when they can and then they choose the local machine and log into a different account when not connected directly to your domain? (In which case - the first point still applies and you would have to create the local account and could assign it whatever rights you saw fit then.) Perhaps you are confusing what a domain logon and local logon actually are? A domain cached logon is still a domain logon - there is nothing 'local' about it other than (if you don't use romaining profiles) the stored profile data. A true local logon requires a true local account. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#5
|
|||
|
|||
How to set up users as admin automatically?
Users log into the domain. They need to be local admin of the machine
they are logged on to because they need to install software and/or printers. So the users need to be added to the administrators group of that computer. I could add AUTHENTICATED_USERS to the local administrators group but that is not what I want because I don't want all users having access. I don't want user1 logging into machine1 and user2 (who has never logged into machine1) able to \\machine1\c$ ... and have access to all those files. Sure all user2 has to do is log into machine1 and then they would be able to do that but that isn't as easy to do. So. Is there a group that I can use other than AUTHENTICATED_USERS to accomplish this task? net localgroup administrators domain/username /add the only problem with that is that you have to already be admin to do this. Shenan Stanley wrote: Poohba wrote: Shenan Stanley wrote: Poohba wrote: I want to set it up so that each user that locally logs on to the laptop will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. If the user is 'logging in locally' - that means someone created an account for that person on the local machine. The person who setup the local account just needs to set it up with Local Admin rights - although this is a horrendous idea. Do you mean something other than 'logon locally' by standard means. (User has and is using a LOCAL account - not one in a domain...) Yes. When its connected to the domain you don't need to log in "locally". So we want the user that logs into that machine to be an admin. I thought of creating a script but the script has to run as admin to do so and since the script will run as the person logged it, it won't work. In order for a user to TRULY log on locally - one has to already have an account created on the local machine. When that account is created (it is not 'automagically created the first time they logon') the person/script creating the local account gets to choose what type of account that is (administrator, limited, etc.) Now if what you are saying is that if they take the machine away from your LAN and log into the domain using Cached Credentials - you want to them to be admins for as long as they are not connected to your domain... Not only do I not believe you couldn't do this (although with some crazy startup script - it might be possible) - I believe you shouldn't do it. If you cannot trust them as local administrators while connected to your domain directly - why would you trust them as administrators on any of your machines at all? OR - do you have something where they are logging into the domain account (when they remember to change the domain pull-down) when they can and then they choose the local machine and log into a different account when not connected directly to your domain? (In which case - the first point still applies and you would have to create the local account and could assign it whatever rights you saw fit then.) Perhaps you are confusing what a domain logon and local logon actually are? A domain cached logon is still a domain logon - there is nothing 'local' about it other than (if you don't use romaining profiles) the stored profile data. A true local logon requires a true local account. |
#6
|
|||
|
|||
How to set up users as admin automatically?
On Apr 30, 10:21 am, Poohba wrote:
Users log into the domain. They need to be local admin of the machine they are logged on to because they need to install software and/or printers. So the users need to be added to the administrators group of that computer. I could add AUTHENTICATED_USERS to the local administrators group but that is not what I want because I don't want all users having access. I don't want user1 logging into machine1 and user2 (who has never logged into machine1) able to \\machine1\c$ ... and have access to all those files. Sure all user2 has to do is log into machine1 and then they would be able to do that but that isn't as easy to do. So. Is there a group that I can use other than AUTHENTICATED_USERS to accomplish this task? net localgroup administrators domain/username /add the only problem with that is that you have to already be admin to do this. Shenan Stanley wrote: Poohba wrote: Shenan Stanley wrote: Poohba wrote: I want to set it up so that each user that locally logs on to the laptop will be admin. I was going to set it up so that all authenticated users can be admin of the laptops but I don't want that b/c that would allow all users to open explorer and go to \\hostname\c$ and I don't want that for EVERY user, just those that have logged into that machine. If the user is 'logging in locally' - that means someone created an account for that person on the local machine. The person who setup the local account just needs to set it up with Local Admin rights - although this is a horrendous idea. Do you mean something other than 'logon locally' by standard means. (User has and is using a LOCAL account - not one in a domain...) Yes. When its connected to the domain you don't need to log in "locally". So we want the user that logs into that machine to be an admin. I thought of creating a script but the script has to run as admin to do so and since the script will run as the person logged it, it won't work. In order for a user to TRULY log on locally - one has to already have an account created on the local machine. When that account is created (it is not 'automagically created the first time they logon') the person/script creating the local account gets to choose what type of account that is (administrator, limited, etc.) Now if what you are saying is that if they take the machine away from your LAN and log into the domain using Cached Credentials - you want to them to be admins for as long as they are not connected to your domain... Not only do I not believe you couldn't do this (although with some crazy startup script - it might be possible) - I believe you shouldn't do it. If you cannot trust them as local administrators while connected to your domain directly - why would you trust them as administrators on any of your machines at all? OR - do you have something where they are logging into the domain account (when they remember to change the domain pull-down) when they can and then they choose the local machine and log into a different account when not connected directly to your domain? (In which case - the first point still applies and you would have to create the local account and could assign it whatever rights you saw fit then.) Perhaps you are confusing what a domain logon and local logon actually are? A domain cached logon is still a domain logon - there is nothing 'local' about it other than (if you don't use romaining profiles) the stored profile data. A true local logon requires a true local account. I would create a domain security group, for example - Laptop Users, or Laptop Admins - and add that group to your local Administrators group on the Laptop. Then add the users who should be allowed access to the laptop to that group. |
#7
|
|||
|
|||
How to set up users as admin automatically?
Poohba wrote:
Users log into the domain. They need to be local admin of the machine they are logged on to because they need to install software and/or printers. So the users need to be added to the administrators group of that computer. I could add AUTHENTICATED_USERS to the local administrators group but that is not what I want because I don't want all users having access. I don't want user1 logging into machine1 and user2 (who has never logged into machine1) able to \\machine1\c$ ... and have access to all those files. Sure all user2 has to do is log into machine1 and then they would be able to do that but that isn't as easy to do. So. Is there a group that I can use other than AUTHENTICATED_USERS to accomplish this task? net localgroup administrators domain/username /add the only problem with that is that you have to already be admin to do this. Just make the users you want to be members of the local administrators group of said machine members of a group in AD. Then put that AD group into the local administrators group of the machine in question. That way you more tightly control who actually has administrative rights. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#8
|
|||
|
|||
How to set up users as admin automatically?
Maybe I'm not being clear. Everyone is/should be localadmin of the
computer they are using. Any machine a user logs into they should be made local admin of that machine. To do this I could just add AUTHENTICATED_USERS to the local admin group but that would allow users that never logged into that machine access to it remotely and I don't want that. (access via \\hostname\c$) Is there another group that I could use other than AUTHENTICATED_USERS? A group such as DOMAIN_USERS_LOGGED_IN_LOCALLY or something like that. The thing is I don't want to have to remote into each machine a user logs on to and give them permission. I am doing it now and I can continue to do it but if there is a way around it, that would be helpful. Shenan Stanley wrote: Poohba wrote: Users log into the domain. They need to be local admin of the machine they are logged on to because they need to install software and/or printers. So the users need to be added to the administrators group of that computer. I could add AUTHENTICATED_USERS to the local administrators group but that is not what I want because I don't want all users having access. I don't want user1 logging into machine1 and user2 (who has never logged into machine1) able to \\machine1\c$ ... and have access to all those files. Sure all user2 has to do is log into machine1 and then they would be able to do that but that isn't as easy to do. So. Is there a group that I can use other than AUTHENTICATED_USERS to accomplish this task? net localgroup administrators domain/username /add the only problem with that is that you have to already be admin to do this. Just make the users you want to be members of the local administrators group of said machine members of a group in AD. Then put that AD group into the local administrators group of the machine in question. That way you more tightly control who actually has administrative rights. |
#9
|
|||
|
|||
How to set up users as admin automatically?
Poohba wrote:
Maybe I'm not being clear. Everyone is/should be localadmin of the computer they are using. Any machine a user logs into they should be made local admin of that machine. To do this I could just add AUTHENTICATED_USERS to the local admin group but that would allow users that never logged into that machine access to it remotely and I don't want that. (access via \\hostname\c$) Is there another group that I could use other than AUTHENTICATED_USERS? A group such as DOMAIN_USERS_LOGGED_IN_LOCALLY or something like that. The thing is I don't want to have to remote into each machine a user logs on to and give them permission. I am doing it now and I can continue to do it but if there is a way around it, that would be helpful. This is fairly clear: "Everyone is/should be local admin of the computer they are using." And bad practice. This is fairly clear: "Any machine a user logs into they should be made local admin of that machine." And bad practice. Here's the problem you are having. You want to limit users, but not limit them. No - there is no 'group' you can make that would make them just a local administrator of the machine they are currently logged into and not the other machines who are setup the same way not be admins. There is no simplistic way to do what you are trying to do with groups/membership in a group - given these machines are domain machines. There is no script to do this either - as I cannot see it being a practice anyone would WANT to take up. What's the point of having them be administrators on only the machine they are on - but not any other machine on the network? They just should not be administrators at all. If they need something installed - they *should* have to (at least) log out and log in as a user with more rights and/or contact an IT staffer. You could - and this would solve your issue quite nicely - setup the Windows Firewall on the machine and control it with group policies and not allow file/print sharing but from a certain group of machines. In that way - no matter that they are local admins - they cannot map a printer/file share on another machine unless their machine is specified in the firewall settings - which is controlled by group policy and should only contain machines your IT staff logs into and servers they might utilize. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
Thread Tools | |
Display Modes | |
|
|