If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Admin right for station
I would love to know how to give my users admin right to their own station.
The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx |
Ads |
#2
|
|||
|
|||
Admin right for station
You can simply add their domain user account to the local administrators
group on their domain workstation to make them administrators on their workstation. However you seem to have found a way to give the users access to the applications they need by modifying NTFS/registry permissions which is much preferable in my opinion to making them local administrator. You can use Group Policy to manage NTFS and registry permissions if need be but I would do that only at the Organizational Unit for computer accounts you want to apply the settings to. Look under computer configuration/Windows settings/security settings for file system and registry. Be sure you test out changes on a couple test computers first to make sure everything works as planned. Changes made by file system and registry remaineven if the Group Policy that implemented them are unlinked. --- Steve "Crown Royal" wrote in message ... I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx |
#3
|
|||
|
|||
Admin right for station
"Crown Royal" wrote in message ... I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx If you absolutely positively must do this, create an AD security group called "Local Admins", and add it to the local administrators group on all your workstations however you wish. Then add the domain users to the AD group. However, I must suggest that this is usually a very bad idea. Why do this at all? You're probably opening up all kinds of problems by doing so. Users should not need admin rights to do their daily tasks - even admin types. |
#4
|
|||
|
|||
Admin right for station
Crown Royal wrote:
I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx Will the 'power users' group do instead, we have to enable that for a couple of err 'legacy applications' (designed I think for win3.11); at least they don't get full admin rights. |
#5
|
|||
|
|||
Admin right for station
Hi,
You could add "NT Authority\Interactive" to the local Administrators group to let all domain users automatically be local admins when they log on to a computer interactively. This is more secure than adding "Authenticated Domain Users", "Domain Users", "NT AUTHORITY\Authenticated Users" or any other global security group because you avoid the issue with cross network admin rights (remote access) that these groups introduces. You can do this operation in a computer startup script (with a GPO) that runs as part of the boot up process (before the user logs in). It runs under the system context and has admin rights. Be sure to not do this on servers though! Adding it to the Administrators group with a command line in a bat file: %SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators" "NT Authority\Interactive" (the command above will wrap over to lines in the newsgroup post, it needs to be adjusted to be all on one line) Adding it to the Administrators group using vbscript: '--------------------8---------------------- Option Explicit Dim objNetwork, strComputer, objLocalGroup ' create network object for the local computer Set objNetwork = CreateObject("Wscript.Network") ' get the name of the local computer strComputer = objNetwork.ComputerName ' bind to the group Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group") ' add NT Authority\Interactive to the group On Error Resume Next ' suppress error in case it is already a member objLocalGroup.Add("WinNT://NT Authority/Interactive") On Error Goto 0 '--------------------8---------------------- Crown Royal wrote: I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx -- torgeir, Microsoft MVP Scripting, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: http://www.microsoft.com/technet/scr...r/default.mspx |
#6
|
|||
|
|||
Admin right for station
In , Torgeir Bakken (MVP) typed: Hi, You could add "NT Authority\Interactive" to the local Administrators group to let all domain users automatically be local admins when they log on to a computer interactively. Ooh, awesome. Good advice. Thanks, Torgeir. This is more secure than adding "Authenticated Domain Users", "Domain Users", "NT AUTHORITY\Authenticated Users" or any other global security group because you avoid the issue with cross network admin rights (remote access) that these groups introduces. You can do this operation in a computer startup script (with a GPO) that runs as part of the boot up process (before the user logs in). It runs under the system context and has admin rights. Be sure to not do this on servers though! Adding it to the Administrators group with a command line in a bat file: %SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators" "NT Authority\Interactive" (the command above will wrap over to lines in the newsgroup post, it needs to be adjusted to be all on one line) Adding it to the Administrators group using vbscript: '--------------------8---------------------- Option Explicit Dim objNetwork, strComputer, objLocalGroup ' create network object for the local computer Set objNetwork = CreateObject("Wscript.Network") ' get the name of the local computer strComputer = objNetwork.ComputerName ' bind to the group Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group") ' add NT Authority\Interactive to the group On Error Resume Next ' suppress error in case it is already a member objLocalGroup.Add("WinNT://NT Authority/Interactive") On Error Goto 0 '--------------------8---------------------- Crown Royal wrote: I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx |
#7
|
|||
|
|||
Admin right for station
Crown Royal wrote:
I would love to know how to give my users admin right to their own station. Simply add each users' domain account to the computer's local Administrators group. (And then double the number of Help Desk and desktop support technicians you currently employ - their workload is about to sky-rocket.) The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. And how could that possibly be expected to confer administrative privileges? Is there no one in your IT department that's ever worked with WinNT, Win2K, or WinXP? They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. You mean you're giving all of your users domain admin privileges? How did you ever get hired to sabotage a network? Some sofware that they are running needs them to be adminstrators of their own station, ... Nonsense. You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. For example, saved data are often stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions. It may even be that the software requires "write" access to parts of the registry or protected systems folders/files that are not normally accessible to regular users. (This *won't* occur if the application is properly written.) If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or part(s) or the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. Some Programs Do Not Work If You Log On from Limited Account http://support.microsoft.com/default...;EN-US;q307091 Additionally, here are a couple of tips suggested, in a reply to a different post, by MS-MVP Kent W. England: "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. C:\cacls "Program Files\appfolder" /e /t /p users:c where "appfolder" is the folder where the application is installed. If you wish to undo these changes, then run C:\cacls "Program Files\appfolder" /e /t /p users:r If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is the key that the software vendor used for your specific program. Change the permissions on this key to allow Users full control." .... and going to each to edit the rights on the station is ridiculous. And unnecessary. Consider hiring a network administrator and a technician or two who know something about managing a domain and its workstations. -- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH |
#8
|
|||
|
|||
Admin right for station
Yep, I totally agree that it "sucks", but unfortunately, there is the need to
do this sometimes because of applications that write to the registry everytime someone uses the program. It isn't bad if it's only one applications, but when you have several, there isn't much choice. I understand that Vista will correct that problem, but with XP your choices are limited "Lanwench [MVP - Exchange]" wrote: "Crown Royal" wrote in message ... I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx If you absolutely positively must do this, create an AD security group called "Local Admins", and add it to the local administrators group on all your workstations however you wish. Then add the domain users to the AD group. However, I must suggest that this is usually a very bad idea. Why do this at all? You're probably opening up all kinds of problems by doing so. Users should not need admin rights to do their daily tasks - even admin types. |
#9
|
|||
|
|||
Admin right for station
I find this group very helpful when used to sharpen one's skill. It's
unfortunate that we sometimes get responses from people who have nothing better to do than poke fun at others. Yes Bruce, I'm talking about you. Not that I feel slighted, but I do have quite a bit of knowledge, and when everyone else's network was going down because of blaster, mine were happily moving along thank you. You don't know anything about my setup, so why bother responding to this question. And to ape the way you responded, And how could that possibly be expected to confer administrative privileges? Is there no one in your IT department that's ever worked with WinNT, Win2K, or WinXP? By the way, you can give admin permission to certain applications through the registry, maybe you need to hire someone to teach you a few things. "Bruce Chambers" wrote: Crown Royal wrote: I would love to know how to give my users admin right to their own station. Simply add each users' domain account to the computer's local Administrators group. (And then double the number of Help Desk and desktop support technicians you currently employ - their workload is about to sky-rocket.) The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. And how could that possibly be expected to confer administrative privileges? Is there no one in your IT department that's ever worked with WinNT, Win2K, or WinXP? They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. You mean you're giving all of your users domain admin privileges? How did you ever get hired to sabotage a network? Some sofware that they are running needs them to be adminstrators of their own station, ... Nonsense. You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. For example, saved data are often stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions. It may even be that the software requires "write" access to parts of the registry or protected systems folders/files that are not normally accessible to regular users. (This *won't* occur if the application is properly written.) If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or part(s) or the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. Some Programs Do Not Work If You Log On from Limited Account http://support.microsoft.com/default...;EN-US;q307091 Additionally, here are a couple of tips suggested, in a reply to a different post, by MS-MVP Kent W. England: "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. C:\cacls "Program Files\appfolder" /e /t /p users:c where "appfolder" is the folder where the application is installed. If you wish to undo these changes, then run C:\cacls "Program Files\appfolder" /e /t /p users:r If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is the key that the software vendor used for your specific program. Change the permissions on this key to allow Users full control." .... and going to each to edit the rights on the station is ridiculous. And unnecessary. Consider hiring a network administrator and a technician or two who know something about managing a domain and its workstations. -- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH |
#10
|
|||
|
|||
Admin right for station
In , Crown Royal typed: Yep, I totally agree that it "sucks", but unfortunately, there is the need to do this sometimes because of applications that write to the registry everytime someone uses the program. It isn't bad if it's only one applications, but when you have several, there isn't much choice. I understand that Vista will correct that problem, but with XP your choices are limited There's also FileMon and RegMon from www.sysinternals.com. .... can be very handy. "Lanwench [MVP - Exchange]" wrote: "Crown Royal" wrote in message ... I would love to know how to give my users admin right to their own station. The only thing that has worked for me is to go to the station and change the security settings on both the C drive and the registry. They are logging on to a domain, so it's taking the domain user persmissions. I tried giving them administrator rights on their account, but I guess it doesn't mean local admin rights. Some sofware that they are running needs them to be adminstrators of their own station, and going to each to edit the rights on the station is ridiculous. I've tried going around to the group policies, but can't seem to find out how to change the policy to make it work. Thx If you absolutely positively must do this, create an AD security group called "Local Admins", and add it to the local administrators group on all your workstations however you wish. Then add the domain users to the AD group. However, I must suggest that this is usually a very bad idea. Why do this at all? You're probably opening up all kinds of problems by doing so. Users should not need admin rights to do their daily tasks - even admin types. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Adding network user to local admin group | Jeff | General XP issues or comments | 1 | November 8th 05 09:11 PM |
way to let users run program as admin iwthout knowing admin password? | Nelson B | General XP issues or comments | 8 | September 19th 05 07:07 PM |
User Management Question | [email protected] | The Basics | 4 | November 21st 04 09:54 PM |
Need admin account | WayuU | Security and Administration with Windows XP | 6 | October 15th 04 05:26 AM |
Local Admin Cant install SP2 | Joel White | Windows Service Pack 2 | 1 | September 2nd 04 11:51 PM |