Announcement

Collapse
No announcement yet.

Allow user admin rights to single PC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Allow user admin rights to single PC

    Hi everyone,

    We have about 50 users in a domain environment, one of which needs admin rights to her PC. Rather than assign her under the "Domain Admins" group, is there a more restrictive group that I can add/create? What I'm trying to achieve here is to allow this one user to be able to install/update programs as needed ONLY on this PC.

    I already attempted to add the account under the BUILTIN\Administrators group but that still asks for an admin login. This is on a Windows 7 Pro PC.

  • #2
    Re: Allow user admin rights to single PC

    If you are looking at the "Domain Admins" and/or "Builtin\Administrators" groups, it sounds like you are using the Active Directory Users and Computers console. Adding the users to either of these groups is not recommended, especially if the user only needs admin access (or similar) to a single PC.

    What you need to do is log onto the target PC (or connect to it via computer management MMC console remotely) as an Admin, then find the Local Users and Groups section, expand groups. Then look at the properties, membership of the Administrator's group. This is the local admins group for only that target PC.

    If you add the domain user account as a member of this group, the user will have admin access to this PC.

    If the user doesnt require full admin access, you can try to add the user to the "Power Users" group to see if there are enough rights for this user to perform the required functions.

    otherwise, you can modify the local policy of that target system and provide additional rights without having to be an admin, but you need to know exactly what you are doing for this process.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: Allow user admin rights to single PC

      you could also create a policy to use "RestrictedGroups", and then link it only to that computer, via WMI.

      The other thing, which I'd never thought of,

      Has anyone ever tried putting an AD user object as a member of a local computer group,

      ie putting DPETRI\TehCamel as a member of TehCamel-PC\Administrators?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Allow user admin rights to single PC

        Originally posted by tehcamel View Post
        you could also create a policy to use "RestrictedGroups", and then link it only to that computer, via WMI.

        The other thing, which I'd never thought of,

        Has anyone ever tried putting an AD user object as a member of a local computer group,

        ie putting DPETRI\TehCamel as a member of TehCamel-PC\Administrators?
        yes you certainly can as long as the pc is a member of the domain (or a trusted domain) (domain admins is normally a member of the local admins group)

        Comment


        • #5
          Re: Allow user admin rights to single PC

          Originally posted by crowntech View Post
          Hi everyone,

          We have about 50 users in a domain environment, one of which needs admin rights to her PC. Rather than assign her under the "Domain Admins" group, is there a more restrictive group that I can add/create? What I'm trying to achieve here is to allow this one user to be able to install/update programs as needed ONLY on this PC.

          I already attempted to add the account under the BUILTIN\Administrators group but that still asks for an admin login. This is on a Windows 7 Pro PC.
          all you need to do is add domain account to local admin group of pc, what exactly is asking for admin logon?, some programs/installs etc need to be run with elevated priv even though you are logged on as an administrator.

          Comment


          • #6
            Re: Allow user admin rights to single PC

            You can try a computer startup script;

            i.e.
            Code:
            @echo off
             
            :: Domain username -computer assignments (about 50 lines)
            call:Match "Paula" "computer-010"
            call:Match "Rems"  "computer-011"
            call:Match "Benny" "computer-012"
            ::~ect.~
             
             
            goto:EOF ------------------ subroutines ------------
            :Match
            If /i "%computername%" EQU "%~2" goto:ADDuser "%~1"
            exit /b 0
             
            :ADDuser (or replace)
            for /f "tokens=*" %%a in (
               'Net.exe localgroup administrators ^|find "\" ^|find /i /v "\domain admins" ^|findstr /rivec:"\%~1"'
               ) do net.exe localgroup administrators %%a /DELETE
            Net.exe localgroup Administrators "DOMAINNAME\%~1" /ADD
            exit /b 0
            Replace the blue colored text in the batch with the name of your AD domain. Save the file with the cmd or bat extension

            to ensure the startup script wil run:
            In the GPO under: Computer Configuration\Policies\Administrative templates\System\Logon
            enable "Always wait for the network at computer startup and logon to the computer"



            /Rems
            Last edited by Rems; 16th December 2011, 17:05.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Allow user admin rights to single PC

              For 50 users I would just use the Computer Management tool to remotely manage each machine and add them to the local administrators account.

              Comment


              • #8
                Re: Allow user admin rights to single PC

                I gave JM's advice a try and I was able to add the user under either group. Instead of adding the user under the Administrators group, I added her under the Power Users group to see if she'll be able to do her tasks. Seeing how this is really only for 1 or 2 users creating a GPO is overkill since I've been able to lock down users with no problem.

                I'll find out soon enough if she'll be needing more rights, I imagine she will.

                One thing I did notice was there isn't a Power Users group in AD, any reason why they would omit this group? I wouldn't mind creating a Power Users group from scratch, I could always search around. Its a pain to have to run explorer with elevated privileges just so I don't have to log the user off to change power settings..

                Frosty: That would completely defeat the purpose of locking users down. Before I came along, all the computers were basically set that way and users were able to do what they wanted with their PCs. Not on my time!
                Last edited by crowntech; 16th December 2011, 17:14. Reason: reply to post

                Comment


                • #9
                  Re: Allow user admin rights to single PC

                  Originally posted by crowntech View Post
                  Frosty: That would completely defeat the purpose of locking users down. Before I came along, all the computers were basically set that way and users were able to do what they wanted with their PCs. Not on my time!
                  Heh, imagine 150 users under you alone with admin privileges. That's how it was for me and I've taken it away finally. (They weren't happy)
                  I guess I misunderstood your question, I thought you were trying to give them admin privileges without adding them to the domain admins group.

                  You could do what I did, disable auto updates on most programs through GP Preferences registry settings and push out the basic stuff that needs updating through GP. Flash, Acrobat, Java.
                  Also, look into Privilege Authority, it could help.

                  Comment


                  • #10
                    Re: Allow user admin rights to single PC

                    I did go about adding this single user via the Computer Management tool but this is one of those exceptions (can't have everyone wanting that)

                    That's basically what happened with some of my users as well, they weren't too pleased when they needed admin rights to delete icons from installed programs on their desktops.

                    I've actually been looking for a solution to push out updates for the mentioned products with the exception of Java which I'm considering completely removing. I'll be sure to take a look at that website when I have some spare time. Thanks for the suggestion!

                    Comment


                    • #11
                      Re: Allow user admin rights to single PC

                      Yeah, I had several complaining about deleted desktop icons. What I ended up doing was creating a policy in the Computer/Policies/Windows settings/Secuity settings/File System that gave them more rights to the Users/public/desktop folder.

                      Of course I was hesitant to do so cause some will accidentally delete a shortcut and think the whole program is gone.

                      Comment

                      Working...
                      X