How do you do....it? Thread, making staff local administrators in Technical; the beauty of this is that you can specify who you want to become adminsitrators by putting them in groups ...
29th August 2008, 04:41 PM #16
the beauty of this is that you can specify who you want to become adminsitrators by putting them in groups in Active Directory. What I have done is blanket added all staff, however I could have created a group called Special Staff, and added in a few usernames to the group, and then added that group in the GPO. I have also applied my GPO to ALL non-server machines, however you can also hand-pick which machines the GPO is applied to, say for example, all the machines in one classroom.
29th August 2008, 06:18 PM #17
We don't do this anymore but we used to use this method to add some users to the power users group as well, this helped certain apps run but didn't give staff full admin rights. This was a good compromise for users that just have to fiddle with things
13th March 2009, 03:55 PM #18
OK well that didn't last long. Now removed staff from local administrators!
16th March 2009, 01:58 AM #19
- Rep Power
What happened? I'm just about to implement this, is the problem with staff abusing privileges?
Originally Posted by RabbieBurns
16th March 2009, 09:59 AM #20
They installed so much crap on them; toolbars, Sky on demand, software for their digital cameras and mobile phones, and other crap. Then they were coming to us complaining that their computers are running slow and not working properly. And blaming us for it.
So, they have had the privilege revoked. If they want software on, they can give us advance notice and we will install it for them. More work in the short term, but will save us a lot of time and grief in the long term.
14th April 2010, 02:22 AM #21
Im just setting this up again, and whilst it works to give staff admin rights on the local machine, it seems to give them admin rights to every machine. IE, they can browse the c$ and d$ shares of every machine this applies to. How would I have it so they are only adminsitrator of the actual machine they are logged onto ?
14th April 2010, 07:46 AM #22
How are you setting the admin rights? I set mine by logging onto the PC they need admin rights on and going to Control Panel, Users and then you can add the domain user in on that screen and set the type of settings they need EG Administrators. That should AFAIK just work on that one local machine not all the network. If you make them a Domain Admin / Administrators on the AD server then that will apply to all machines on the LAN.
14th April 2010, 08:20 AM #23
Im just doing it through cookie_monsters group policy from the 1st page of this thread. I dont fancy visiting every computer to do this, we have about 400 staff with their own machines
14th April 2010, 08:50 AM #24
I think you can do this with group policy preferences but I can't find the details :-(
I would script it by recording somewhere who "owns" each machine and then use a machine startup script to add that user to local admins just on that machine. This won't work with the restricted groups policy - the policy will reverse your script.
14th April 2010, 09:11 AM #25
I think as Steve says scripting will be the only option here restricted groups will add users to the local admins group on all PC's that the GPO applies to this is why it's great for removing people from admins
How many PC's do you need to modify? You could create a GPO and filter it to a specific group then lock down the desktop to stop the users mapping drives or browsing UNC paths to another PC's C: drive.
What is the need for users to have local admin access is it a problem with certain apps?
14th April 2010, 09:17 AM #26
Written a quick little guide for Group Policy Preferences - doesn't explain what you need to do but should set you on your way, mess around with it if that is the way you want to go.
14th April 2010, 09:24 AM #27
Very nice, you have too much time on your hands to be able to write them up that well I usualy scribble something down in Notepad thats about as fancy as I get due to time!
14th April 2010, 09:33 AM #28
As has been said, Group Policy will add the users as local admins of every machine, which will also make them admins of machines you are not logged on to. The other option is a login script which adds them as a local admin of just the machine they are logging on to, and a logoff script which takes them out of the group. This way they'll be able to administer a machine only when they're logged on to it.
Originally Posted by RabbieBurns
Something like this should do it (taken from here):
Set oWshNet = CreateObject("WScript.Network" )
sUser = "fill in some domain user name here"
sNetBIOSDomain = oWshNet.UserDomain
sComputer = oWshNet.ComputerName
Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators,group" )
Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user" )
' suppress errors in case the user is already a member
On Error Resume Next
On Error Goto 0
14th April 2010, 09:46 AM #29
Ssssssssssh, dont tell the boss! :P
Originally Posted by john
14th April 2010, 12:24 PM #30
Originally Posted by jamesb
Do you need to run this script with admin rights to change the group membership? Our logon scrips run with the logged on user privilages so couldn't make the change.
By CM786 in forum Windows
Last Post: 26th February 2010, 11:00 AM
By tosca925 in forum Scripts
Last Post: 14th June 2008, 01:18 AM
By thegrassisgreener in forum MIS Systems
Last Post: 30th November 2007, 05:42 PM
By Ravening_Wolf in forum How do you do....it?
Last Post: 8th March 2007, 01:50 PM
By ICTNUT in forum Scripts
Last Post: 16th August 2005, 12:38 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)