+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
How do you do....it? Thread, making staff local administrators in Technical; the beauty of this is that you can specify who you want to become adminsitrators by putting them in groups ...
  1. #16

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    the beauty of this is that you can specify who you want to become adminsitrators by putting them in groups in Active Directory. What I have done is blanket added all staff, however I could have created a group called Special Staff, and added in a few usernames to the group, and then added that group in the GPO. I have also applied my GPO to ALL non-server machines, however you can also hand-pick which machines the GPO is applied to, say for example, all the machines in one classroom.

  2. #17
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    We don't do this anymore but we used to use this method to add some users to the power users group as well, this helped certain apps run but didn't give staff full admin rights. This was a good compromise for users that just have to fiddle with things

  3. #18

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    OK well that didn't last long. Now removed staff from local administrators!

  4. #19

    Join Date
    Aug 2008
    Location
    Adelaide
    Posts
    6
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by RabbieBurns View Post
    OK well that didn't last long. Now removed staff from local administrators!
    What happened? I'm just about to implement this, is the problem with staff abusing privileges?

  5. #20

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    They installed so much crap on them; toolbars, Sky on demand, software for their digital cameras and mobile phones, and other crap. Then they were coming to us complaining that their computers are running slow and not working properly. And blaming us for it.

    So, they have had the privilege revoked. If they want software on, they can give us advance notice and we will install it for them. More work in the short term, but will save us a lot of time and grief in the long term.

  6. #21

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    Im just setting this up again, and whilst it works to give staff admin rights on the local machine, it seems to give them admin rights to every machine. IE, they can browse the c$ and d$ shares of every machine this applies to. How would I have it so they are only adminsitrator of the actual machine they are logged onto ?

  7. #22

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,619
    Thank Post
    1,499
    Thanked 1,053 Times in 922 Posts
    Rep Power
    304
    How are you setting the admin rights? I set mine by logging onto the PC they need admin rights on and going to Control Panel, Users and then you can add the domain user in on that screen and set the type of settings they need EG Administrators. That should AFAIK just work on that one local machine not all the network. If you make them a Domain Admin / Administrators on the AD server then that will apply to all machines on the LAN.

  8. #23

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    Im just doing it through cookie_monsters group policy from the 1st page of this thread. I dont fancy visiting every computer to do this, we have about 400 staff with their own machines

  9. #24

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    I think you can do this with group policy preferences but I can't find the details :-(

    I would script it by recording somewhere who "owns" each machine and then use a machine startup script to add that user to local admins just on that machine. This won't work with the restricted groups policy - the policy will reverse your script.

  10. #25
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I think as Steve says scripting will be the only option here restricted groups will add users to the local admins group on all PC's that the GPO applies to this is why it's great for removing people from admins

    How many PC's do you need to modify? You could create a GPO and filter it to a specific group then lock down the desktop to stop the users mapping drives or browsing UNC paths to another PC's C: drive.

    What is the need for users to have local admin access is it a problem with certain apps?

  11. #26
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    877
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    36
    Written a quick little guide for Group Policy Preferences - doesn't explain what you need to do but should set you on your way, mess around with it if that is the way you want to go.
    Attached Files Attached Files

  12. Thanks to rh91uk from:

    john (14th April 2010)

  13. #27

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,619
    Thank Post
    1,499
    Thanked 1,053 Times in 922 Posts
    Rep Power
    304
    Very nice, you have too much time on your hands to be able to write them up that well I usualy scribble something down in Notepad thats about as fancy as I get due to time!

  14. #28

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Quote Originally Posted by RabbieBurns View Post
    Im just setting this up again, and whilst it works to give staff admin rights on the local machine, it seems to give them admin rights to every machine. IE, they can browse the c$ and d$ shares of every machine this applies to. How would I have it so they are only adminsitrator of the actual machine they are logged onto ?
    As has been said, Group Policy will add the users as local admins of every machine, which will also make them admins of machines you are not logged on to. The other option is a login script which adds them as a local admin of just the machine they are logging on to, and a logoff script which takes them out of the group. This way they'll be able to administer a machine only when they're logged on to it.

    Something like this should do it (taken from here):

    Code:
    Set oWshNet = CreateObject("WScript.Network" ) 
    
    sUser = "fill in some domain user name here" 
    
    sNetBIOSDomain = oWshNet.UserDomain 
    sComputer = oWshNet.ComputerName 
    
    Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators,group" ) 
    Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user" ) 
    
    ' suppress errors in case the user is already a member 
    On Error Resume Next 
    oGroup.Add(oUser.ADsPath) 
    On Error Goto 0

  15. #29
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    877
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    36
    Quote Originally Posted by john View Post
    Very nice, you have too much time on your hands to be able to write them up that well I usualy scribble something down in Notepad thats about as fancy as I get due to time!
    Ssssssssssh, dont tell the boss! :P

  16. #30
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by jamesb View Post
    As has been said, Group Policy will add the users as local admins of every machine, which will also make them admins of machines you are not logged on to. The other option is a login script which adds them as a local admin of just the machine they are logging on to, and a logoff script which takes them out of the group. This way they'll be able to administer a machine only when they're logged on to it.

    Something like this should do it (taken from here):

    Code:
    Set oWshNet = CreateObject("WScript.Network" ) 
    
    sUser = "fill in some domain user name here" 
    
    sNetBIOSDomain = oWshNet.UserDomain 
    sComputer = oWshNet.ComputerName 
    
    Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators,group" ) 
    Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user" ) 
    
    ' suppress errors in case the user is already a member 
    On Error Resume Next 
    oGroup.Add(oUser.ADsPath) 
    On Error Goto 0


    Do you need to run this script with admin rights to change the group membership? Our logon scrips run with the logged on user privilages so couldn't make the change.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 7
    Last Post: 26th February 2010, 10:00 AM
  2. Replies: 5
    Last Post: 14th June 2008, 12:18 AM
  3. sims administrators for beginners
    By thegrassisgreener in forum MIS Systems
    Replies: 17
    Last Post: 30th November 2007, 04:42 PM
  4. Do you allow staff to have Local Admin privileges?
    By Ravening_Wolf in forum How do you do....it?
    Replies: 39
    Last Post: 8th March 2007, 12:50 PM
  5. The Ultimate Administrators Toolbox
    By ICTNUT in forum Scripts
    Replies: 7
    Last Post: 15th August 2005, 11:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •