Announcement

Collapse
No announcement yet.

How do you add Admin rights (locally) to a user?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do you add Admin rights (locally) to a user?

    Is there a script I can add to the user profile or a setting I can check in Win2k so that when my users log into the Windows XP workstation, they are considered Admins or Power Users on the local machine ONLY? (not on the network)

    We are using a 3rd party program the requires these rights to be set and we don't want it to interfere with our network security.

    We are also using roaming profiles so I need to configure it so it happens every time.
    Last edited by BigDan; 13th December 2007, 23:54. Reason: forgot something :S
    << Working together to prevent ID10T errors >>

  • #2
    Re: How do you add Admin rights (locally) to a user?

    Have a look at Restricted groups and GPO's

    http://www.microsoft.com/resources/d....mspx?mfr=true

    There will also be threads on here that will help.

    Comment


    • #3
      Re: How do you add Admin rights (locally) to a user?

      Hi,

      I will not prefer to go for the restricted groups as they will not allow any other member to be added other then defined in GP.

      Go for the start-up script:

      http://forums.petri.com/showthread.php?t=20078

      First few replies answer your query.

      Regards,
      Kapil Sharma
      ~~~~~~~~~~~~~
      Life is too short, Enjoy It.

      Comment


      • #4
        Re: How do you add Admin rights (locally) to a user?

        I continued looking around and did find the forums about restricted users, Specifically these ones:

        1) http://forums.petri.com/showthread.php?t=14548&page=2
        2) http://forums.petri.com/showthread.p...2525#post52525
        (great Big thanks to joopdog and rems for those posts)
        I followed these steps, step by step, but Must have missed something because I wasn't able to log in as a user, not even as Administrator!!

        I looked through the various script options out there (thanks kapilsharma11) but I need to add a good hundred or so to the local admin.

        I should give more detail I think....

        I just came into the company and need to straighten allot of things out, specifically I needed to set up all the users to have roaming profiles, set up a mapped drive (F:\ and, due to a program requirement, have all users be part of the local Administrators group.

        I correctly set up the Roaming profiles after a little problem, (thanks to those who helped), and created a mapped drive for all users via a GPO login script (If you want to know details please ask.

        I now need to finnish of the hat trick by completing the admin group.
        (I told you what I had to do because you may know of a way to simplify it all in just a few steps... Just in case )

        now I hit the good ol' books for a while and even went through google a couple of dozen times and I keep coming up with the same things, restrivive groups and VB scripts.

        1) Restrictive groups
        I followed along with the instructions in the links above but I cant login as anybody, not even the Administrator. I know I prob. missed something but I cant seem to spot it.

        2) VB
        I attempted this solution first and much to my dismay, the workstations do not recognize the VB file...


        I know this is a vary basic solution but I really can't figure this one out...

        Please help!

        - Dan
        << Working together to prevent ID10T errors >>

        Comment


        • #5
          Re: How do you add Admin rights (locally) to a user?

          Simpe answer first guys... Add the user to the "Administrators" group on the local machine. This will give him Admin rights.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: How do you add Admin rights (locally) to a user?

            I wasn't able to log in as a user, not even as Administrator!!
            You mean to Windows or to the application?? If you meant Windows then you have other problems, this has nothing to do with membership of the local Administors group.

            Can you still logon at Windows as (local-) administrator, then check the group members of the local Administrators group on one of the clients, verify the AD-group "domain\Domain Admins" is a member of the local Administrators group.


            I looked through the various script options out there (thanks kapilsharma11) but I need to add a good hundred or so to the local admin.
            Do not add users seperately, add them to a new global security group in AD. Use the command to add this AD-goup to the local Administrators Group.
            Code:
            @echo off
            
            :: V a r i a b l e s
            (Set locgroup=Administrators)
            (Set domain=DomainName)
            (Set domaingroup=MyNewGroupName)
            
            :: E m p t y  t h e  l o c a l g r o u p 
            For /F "delims=" %%* in ('net localgroup "%locgroup%"') Do (
                                    net localgroup %locgroup% "%%*" /Delete & cls)
            
            :: N e s t  A D - g r o u p s  a s  m e m b e r s 
            net localgroup "%locgroup%" "%domain%\Domain Admins" /ADD
            net localgroup "%locgroup%" "%domain%\%domaingroup%" /ADD
            This batch is not a logon script, it is a Computer Configuration Startup script.

            But the best way to controle local group memberschip is by using the Restricted Groups Policy.
            Run tests in this order,
            Check wheter the policy is applied to the computers.
            Check if the Restricted Group empties the local group Administrators on the clients
            Check if the New memberships are added by the Restricted Group .


            One thing that should be mensioned!
            Making users local Administrators, can make it hard for networkadministors to keep control over the processes running on client computers. Users always trying things on the computer and with or with out knowing it they can install programs that affect the performance of the computer or the network. There are also programs that run with out noticing like a keylogger.
            It is mutch better to change only the nessesary permissions, instead of making them Administrators. Use Filemon and Regmon to find out what acces permission the user must have to run the 3rd party program succefully.


            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: How do you add Admin rights (locally) to a user?

              Originally posted by Rems View Post
              You mean to Windows or to the application?? If you meant Windows then you have other problems, this has nothing to do with membership of the local Administors group.
              I did mean windows..

              I followed your steps from the other posts but wasn't allowed loggin in as local admin..
              I get the following error:
              "Local policy setting prevent from you from logging in to this machine"

              I deleted the restricted group and everything worked fine

              What should I do to fix this? I think it would be the best option

              And the program that is being used requires local admin so theres no way around that one
              Last edited by BigDan; 17th December 2007, 17:54. Reason: just adding more info
              << Working together to prevent ID10T errors >>

              Comment


              • #8
                Re: How do you add Admin rights (locally) to a user?

                I found a way to make it work!

                So after trying many many ways, I figured I would keep it simple as possible and tried the following:

                IN Active Directory Users and Computers
                1) I created a Global Security Group called Local Admin Group
                2) Added the users to this group

                ON Local Computers (once again WinXP Pro)
                3) Logged in as Administrator and went into:
                Control Panel -> User Accounts -> Advanced -> Advanced -> Groups -> (double click Administrators) -> Add -> Local Admin Group (same as created above)

                This combined with a GPO to map the drive allows the users to login as a local Admin, have the drive mapped so there is no more errors and users can now login in anywhere!

                Thank-you everyone who helped out and offered your advice!!
                I guess this goes to show that things can be easier than we all think!

                Rem,
                Do you know why the Restricted Groups didn't work? or behaved the way it did? Just a thought / lesson for the future...
                Last edited by BigDan; 17th December 2007, 21:59. Reason: extended thought
                << Working together to prevent ID10T errors >>

                Comment


                • #9
                  Re: How do you add Admin rights (locally) to a user?

                  Do you know why the Restricted Groups didn't work? or behaved the way it did? Just a thought / lesson for the future...
                  It appears to me as a combination of two factors,

                  1st -
                  The policy;
                  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
                  "Log on locally" and "Deny logon locally"
                  Are re-configured with the result that now only members of the Administrators group are allowed to log-on to the clients.

                  -=And=-
                  2ndly -
                  There could be a configuration problem in how the members are added to the Restricted Group. The gropups are overwritten, but no members are added.

                  Can you send screenshots of the Restricted Group you created.

                  \Rems
                  Last edited by Rems; 18th December 2007, 13:44.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment

                  Working...
                  X