Admin right for station

I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change the
security settings on both the C drive and the registry. They are logging on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx

You can simply add their domain user account to the local administrators
group on their domain workstation to make them administrators on their
workstation. However you seem to have found a way to give the users access
to the applications they need by modifying NTFS/registry permissions which
is much preferable in my opinion to making them local administrator. You can
use Group Policy to manage NTFS and registry permissions if need be but I
would do that only at the Organizational Unit for computer accounts you want
to apply the settings to. Look under computer configuration/Windows
settings/security settings for file system and registry. Be sure you test
out changes on a couple test computers first to make sure everything works
as planned. Changes made by file system and registry remaineven if the Group
Policy that implemented them are unlinked. --- Steve


"Crown Royal" wrote in message
...
I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change
the
security settings on both the C drive and the registry. They are logging
on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean
local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights
on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx

"Crown Royal" wrote in message
...
I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change
the
security settings on both the C drive and the registry. They are logging
on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean
local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights
on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx

If you absolutely positively must do this, create an AD security group
called "Local Admins", and add it to the local administrators group on all
your workstations however you wish. Then add the domain users to the AD
group.

However, I must suggest that this is usually a very bad idea. Why do this at
all? You're probably opening up all kinds of problems by doing so. Users
should not need admin rights to do their daily tasks - even admin types.

Crown Royal wrote:
I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change the
security settings on both the C drive and the registry. They are logging on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx

Will the 'power users' group do instead, we have to enable that for a
couple of err 'legacy applications' (designed I think for win3.11); at
least they don't get full admin rights.

Hi,

You could add "NT Authority\Interactive" to the local Administrators
group to let all domain users automatically be local admins when they
log on to a computer interactively.

This is more secure than adding "Authenticated Domain Users",
"Domain Users", "NT AUTHORITY\Authenticated Users" or any other
global security group because you avoid the issue with cross
network admin rights (remote access) that these groups introduces.

You can do this operation in a computer startup script (with a
GPO) that runs as part of the boot up process (before the user logs
in). It runs under the system context and has admin rights.

Be sure to not do this on servers though!

Adding it to the Administrators group with a command line in a bat
file:

%SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators"
"NT Authority\Interactive"

(the command above will wrap over to lines in the newsgroup post, it
needs to be adjusted to be all on one line)


Adding it to the Administrators group using vbscript:

'--------------------8----------------------
Option Explicit

Dim objNetwork, strComputer, objLocalGroup

' create network object for the local computer
Set objNetwork = CreateObject("Wscript.Network")

' get the name of the local computer
strComputer = objNetwork.ComputerName

' bind to the group
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

' add NT Authority\Interactive to the group
On Error Resume Next ' suppress error in case it is already a member
objLocalGroup.Add("WinNT://NT Authority/Interactive")
On Error Goto 0
'--------------------8----------------------


Crown Royal wrote:

I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change the
security settings on both the C drive and the registry. They are logging on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx


--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

In ,
Torgeir Bakken (MVP) typed:
Hi,

You could add "NT Authority\Interactive" to the local Administrators
group to let all domain users automatically be local admins when they
log on to a computer interactively.

Ooh, awesome. Good advice. Thanks, Torgeir.

This is more secure than adding "Authenticated Domain Users",
"Domain Users", "NT AUTHORITY\Authenticated Users" or any other
global security group because you avoid the issue with cross
network admin rights (remote access) that these groups introduces.

You can do this operation in a computer startup script (with a
GPO) that runs as part of the boot up process (before the user logs
in). It runs under the system context and has admin rights.

Be sure to not do this on servers though!

Adding it to the Administrators group with a command line in a bat
file:

%SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators"
"NT Authority\Interactive"

(the command above will wrap over to lines in the newsgroup post, it
needs to be adjusted to be all on one line)


Adding it to the Administrators group using vbscript:

'--------------------8----------------------
Option Explicit

Dim objNetwork, strComputer, objLocalGroup

' create network object for the local computer
Set objNetwork = CreateObject("Wscript.Network")

' get the name of the local computer
strComputer = objNetwork.ComputerName

' bind to the group
Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
' add NT Authority\Interactive to the group
On Error Resume Next ' suppress error in case it is already a member
objLocalGroup.Add("WinNT://NT Authority/Interactive")
On Error Goto 0
'--------------------8----------------------


Crown Royal wrote:

I would love to know how to give my users admin right to their own
station. The only thing that has worked for me is to go to the
station and change the security settings on both the C drive and the
registry. They are logging on to a domain, so it's taking the
domain user persmissions. I tried giving them administrator rights
on their account, but I guess it doesn't mean local admin rights. Some
sofware that they are running needs them to be adminstrators of
their own station, and going to each to edit the rights on the
station is ridiculous. I've tried going around to the group
policies, but can't seem to find out how to change the policy to
make it work. Thx

Crown Royal wrote:
I would love to know how to give my users admin right to their own station.


Simply add each users' domain account to the computer's local
Administrators group. (And then double the number of Help Desk and
desktop support technicians you currently employ - their workload is
about to sky-rocket.)


The only thing that has worked for me is to go to the station and change the
security settings on both the C drive and the registry.


And how could that possibly be expected to confer administrative
privileges? Is there no one in your IT department that's ever worked
with WinNT, Win2K, or WinXP?


They are logging on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean local
admin rights.


You mean you're giving all of your users domain admin privileges? How
did you ever get hired to sabotage a network?


Some sofware that they are running needs them to be
adminstrators of their own station, ...


Nonsense.

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default...;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."



.... and going to each to edit the rights on
the station is ridiculous.


And unnecessary. Consider hiring a network administrator and a
technician or two who know something about managing a domain and its
workstations.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Yep, I totally agree that it "sucks", but unfortunately, there is the need to
do this sometimes because of applications that write to the registry
everytime someone uses the program. It isn't bad if it's only one
applications, but when you have several, there isn't much choice. I
understand that Vista will correct that problem, but with XP your choices are
limited

"Lanwench [MVP - Exchange]" wrote:


"Crown Royal" wrote in message
...
I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change
the
security settings on both the C drive and the registry. They are logging
on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean
local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the rights
on
the station is ridiculous. I've tried going around to the group policies,
but can't seem to find out how to change the policy to make it work.

Thx

If you absolutely positively must do this, create an AD security group
called "Local Admins", and add it to the local administrators group on all
your workstations however you wish. Then add the domain users to the AD
group.

However, I must suggest that this is usually a very bad idea. Why do this at
all? You're probably opening up all kinds of problems by doing so. Users
should not need admin rights to do their daily tasks - even admin types.

I find this group very helpful when used to sharpen one's skill. It's
unfortunate that we sometimes get responses from people who have nothing
better to do than poke fun at others. Yes Bruce, I'm talking about you. Not
that I feel slighted, but I do have quite a bit of knowledge, and when
everyone else's network was going down because of blaster, mine were happily
moving along thank you. You don't know anything about my setup, so why
bother responding to this question. And to ape the way you responded,

And how could that possibly be expected to confer administrative
privileges? Is there no one in your IT department that's ever worked
with WinNT, Win2K, or WinXP?

By the way, you can give admin permission to certain applications through
the registry, maybe you need to hire someone to teach you a few things.

"Bruce Chambers" wrote:

Crown Royal wrote:
I would love to know how to give my users admin right to their own station.


Simply add each users' domain account to the computer's local
Administrators group. (And then double the number of Help Desk and
desktop support technicians you currently employ - their workload is
about to sky-rocket.)


The only thing that has worked for me is to go to the station and change the
security settings on both the C drive and the registry.


And how could that possibly be expected to confer administrative
privileges? Is there no one in your IT department that's ever worked
with WinNT, Win2K, or WinXP?


They are logging on
to a domain, so it's taking the domain user persmissions. I tried giving
them administrator rights on their account, but I guess it doesn't mean local
admin rights.


You mean you're giving all of your users domain admin privileges? How
did you ever get hired to sabotage a network?


Some sofware that they are running needs them to be
adminstrators of their own station, ...


Nonsense.

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default...;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."



.... and going to each to edit the rights on
the station is ridiculous.


And unnecessary. Consider hiring a network administrator and a
technician or two who know something about managing a domain and its
workstations.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

In ,
Crown Royal typed:
Yep, I totally agree that it "sucks", but unfortunately, there is the
need to do this sometimes because of applications that write to the
registry everytime someone uses the program. It isn't bad if it's
only one applications, but when you have several, there isn't much
choice. I understand that Vista will correct that problem, but with
XP your choices are limited

There's also FileMon and RegMon from www.sysinternals.com. .... can be very
handy.


"Lanwench [MVP - Exchange]" wrote:


"Crown Royal" wrote in message
...
I would love to know how to give my users admin right to their own
station. The only thing that has worked for me is to go to the
station and change the
security settings on both the C drive and the registry. They are
logging on
to a domain, so it's taking the domain user persmissions. I tried
giving them administrator rights on their account, but I guess it
doesn't mean local
admin rights. Some sofware that they are running needs them to be
adminstrators of their own station, and going to each to edit the
rights on
the station is ridiculous. I've tried going around to the group
policies, but can't seem to find out how to change the policy to
make it work.

Thx

If you absolutely positively must do this, create an AD security
group called "Local Admins", and add it to the local administrators
group on all your workstations however you wish. Then add the domain
users to the AD group.

However, I must suggest that this is usually a very bad idea. Why do
this at all? You're probably opening up all kinds of problems by
doing so. Users should not need admin rights to do their daily tasks
- even admin types.