CS101 time pleaseops:
I inherited a locked down server domain thingy setup last term and I'd like to loosen it up a bit.
Obviously this sort of request will choke some NM around here but I only go to this school for 2.5 hrs once a fortnight and the teachers need to get on and do some work without waiting for me to turn up
The teachers have individual logons and I'd like them to have full admin rights to their laptops when logged into the domain (They logon as local administrator at home but I'd like them to be able to change things like power settings when logged into the domain without technical support)
I think this is basic stuff but googling seems to bring up a lot of noise.
Could someone give me a quick run down of what I need to do (and where I do it- on each laptop or is their automagic AD/GPO stuff I can do)
Ta
Simon
If you go onto local users by right clicking my computer > manage. Find the the administrators group and add the domain user to that group.
mm - thats what I did but it didn't seem to make any diff- when logged on as the teacher I still couldn't alter the laptop power settings - I'll check again when I go back
regards
Simon
Is there a group policy stopping it? Although the teacher has local admin rights it will still apply group policies.
I have setup similar scenarios previously, I have used a batch script to add %username% to the Local Administrators Group on the machine. This was run in a Startup Script; I’ve also added it into the same GPO that has the modified GUI permissions.
Then moving the laptops into another OU, or modifying the existing one, change the Group Policy to not block the Control Panel applets required and so forth.
As stated above, Group Policy will override the Local Admin Privileges.
Now to attend to a fire alarm!!
The other thing they can do is:
Hold down SHIFT and rh click on the Power Options icon (or install program etc...) They can then click 'Run As' and type in their local admin password.
This would be preferential to giving local admin rights because it means they can't do things by accident!
good sugestion
Add the laptops to their own OU and use loop back processing. This will strip away any GPO's being applied. You can then apply any specific GPO's to the OU containing the Teachers laptops.
Heres how I do it (probably the solution your looking for).
Active Directory Users & Computers -> Create New Group (Global, Security) - Local_Admin is what i use
Add the staff members in the domain to this group.
Next create a group policy in the OU where your laptops/pcs are that the staff members will be using.
Edit the Policy and find Startup/Shutdown (Under computer configuration, windows settings).
Add a new batch file to the startup list as below:
Startup.bat
Change MYDOMAIN to your domain name and change Local_Admin if you didnt use that as your security group.Code:@ECHO OFF net localgroup Administrators /add "MYDOMAIN\Local_Admin"
Anyone you add to Local_Admin from now on will get Local Admin rights on the PCs in that specific OU.
Nice job... I'm going to use this method from now on!
Cheers!
We do a similar thing to Frazer - but find its easier if when you prepare the Ghost Image (or however you do it) - to join the local PC Administrators Group to the Local_Admin group - then as you say - you can drop people in and out in AD to give rights - though its worth saying that due to the way Policies ertc are applied it can take a couple of restarts to get this to apply at the PC end.
Start > Control Panel > User Accounts
Select Advanced tab
Select Advanced
Select Groups
Join the Administrators group to the unity\Local PC Admin group
Thanks for all the suggestions - I'l cycle through them next time I'm there.
@eean
I like yours a lot (being the simplest) - I hope it works
@zorba
:?: :?: :?:...use loop back processing...
I can see your new here - think Joey from Friends when communicating info to me
regards
Simon
Only had a chance to quickly try out eeaan's idea this week - it lets you change the settings - but only for the administrative user used for the runas - i.e. it doesn't affect the logged in user
regards
Simon
Try adding this to the logon script.....
net localgroup administrators /add "DOMAIN\%username%"
This would specifically add the user that is logging on.
Glenn
Not sure if this is any help in this situation and i've not seen it shown so far, but you can apply local group membership via gpo directly.
There is a Restricted Groups setting in the Work station policy. You can add users, or groups to be members of the local admin group (or any other). My only advise would be to also include Domain Admins to the local Admin group because even though this is by default, using Restricted Groups will remove locally set domain groups. (although it doesn't affect users who login locally, or any local group - only domain)
If unsure, google for Restricted Group GPO
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote