+ Reply to Thread
Results 1 to 15 of 15
  1. Senior Member
    Join Date
    Jul 2006
    Location
    Canada
    Posts
    993

    Certifications
    A+, SSCP, CEH, ITIL, Bachelor of Business (MIS), BA,
    #1

    Default Giving domain users local admin rights

    I'm honestly a bit confused about user rights on Windows Server 2003.

    Let's say I have 100 users whom I've created on a Win2k3 domain controller. When they login to the domain from a PC, they don't have any admin rights on that PC. I suspect I should work through GPO to do something, but was wondering if somebody had an answer.

    Thanks!
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    Mar 2008
    Posts
    1,562
    #2
    You need to give them administrator permissions via the local machine.
    Reply With Quote Quote  

  4. Member Extraordinaire genXrcist's Avatar
    Join Date
    Oct 2008
    Location
    St. Paul, Minnesota
    Posts
    531

    Certifications
    CCNA:V MCITP:EA/EMA2K10 MCSE:S MCSA:M MCDST A+/Net+/Sec+
    #3
    Quote Originally Posted by binarysoul View Post
    I'm honestly a bit confused about user rights on Windows Server 2003.

    Let's say I have 100 users whom I've created on a Win2k3 domain controller. When they login to the domain from a PC, they don't have any admin rights on that PC. I suspect I should work through GPO to do something, but was wondering if somebody had an answer.

    Thanks!
    You should use Group Policy -> Restricted Groups to place whomever you want into the administrators group you please. Link it to the Site, Domain or the OU with the users in it and voila!
    Reply With Quote Quote  

  5. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,145

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); MCSA 2016/2012/2K3/2K; MCSE:S 2K3/2K; MCSE:M 2K3/2K; MCTS:Exch2K7; EMCSA:CLARiiON; Linux+; Security+; A+
    #4
    Not sure what you're asking. Are you trying to make the primary user of the each computer a local admin on that PC? No way to automate that that I know of.

    If you're just trying to make a particular domain group or domain user an administrator on all the PC's, that's pretty easy if you put all the computers into an OU and set up some Restricted Groups group policies for the Administrators group. Enforce "Members" to force the same list of users in the Administrators group when the GPO is refreshed, enforce "Member Of" to allow changes to the Administrators group but always refresh the membership with the users/groups you want to have added.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
    Reply With Quote Quote  

  6. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #5
    Sure there's a way to automate this.

    Used Restricted Groups to nest the Interactive Group to the Local Administrators group. Any user who logs onto their machine will be local admin ONLY for the machine they're logged onto.

    Problem solved!
    Reply With Quote Quote  

  7. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,145

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); MCSA 2016/2012/2K3/2K; MCSE:S 2K3/2K; MCSE:M 2K3/2K; MCTS:Exch2K7; EMCSA:CLARiiON; Linux+; Security+; A+
    #6
    I hadn't thought of that royal... that's not really what I meant though, I had in mind that he'd want each person's computer to have only have THAT person added to the administrators but leave other people out of the group, rather than making anyone who logs in with a valid domain user account an administrator.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
    Reply With Quote Quote  

  8. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #7
    What are the management issues involved. When the user moves or changes departments do they need to be removed from the group?

    I could see you doing something like this with a PowerShell script.

    Here is one you could start with:
    PowerShell script to add/remove a domain user to the Local Administrators group on a remote machine - Ying Li(MVP) at myITforum.com

    Next you would just need a valid list of computer/user names and write a loop.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jul 2006
    Location
    Canada
    Posts
    993

    Certifications
    A+, SSCP, CEH, ITIL, Bachelor of Business (MIS), BA,
    #8
    Let me explain the situation.

    Let's say about 20 WinXP were installed using Windows Deployment utility (Win2k3) and all PC's joined a domain. So when users logged in to the domain from their PC, they had limited access on that PC. Each user uses their own PC, so they're not logging in from different PCs.

    I then logged in as the local administrator on a PC and added a user wsmith and gave it admin rights on the PC. Since there was already a prfile created under c:\documents and settings\wsmith, Windows created another user profile called PCNAME.wsmith. So now when the user logs in to the domain they have admin rights on the PC.

    This doesn't seem a good solution. Royal mentioned about "Restricted Groups", maybe someone can elaborate on that as I have got no clue on this group
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jul 2006
    Location
    Canada
    Posts
    993

    Certifications
    A+, SSCP, CEH, ITIL, Bachelor of Business (MIS), BA,
    #9
    Quote Originally Posted by RobertKaucher View Post
    What are the management issues involved. When the user moves or changes departments do they need to be removed from the group?

    I could see you doing something like this with a PowerShell script.

    Here is one you could start with:
    PowerShell script to add/remove a domain user to the Local Administrators group on a remote machine - Ying Li(MVP) at myITforum.com

    Next you would just need a valid list of computer/user names and write a loop.
    Thanks! That's exactly what I wanted. But the million dollar question is whether I can do it without using that script! I mean isn't there a way to do it on the Win2k3 server?
    Reply With Quote Quote  

  11. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #10
    The short answer is no. There is no built in method to easily add a single user to the local group on a single machine. The reason being the server only understands the AD groups, where as the local groups are stored in the SAM database.

    The problem here is there is no easy/efficient way to do this via group policy. You would have to create an OU for each user and place that user's PC in the ou and then create a GPO for each of the OUs.

    Your best sollution is to use something like powershell. You can even do that from your PC.
    Reply With Quote Quote  

  12. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #11
    Quote Originally Posted by binarysoul View Post
    Royal mentioned about "Restricted Groups", maybe someone can elaborate on that as I have got no clue on this group
    The way Royal suggested would add any one who is logged on to the PC to be a local admin. This means that if I signed in to pc100 I would be a local admin. If I signed into PC101, I would also be a local admin. This does not seem like what you want.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #12
    Quote Originally Posted by binarysoul View Post
    Thanks! That's exactly what I wanted. But the million dollar question is whether I can do it without using that script! I mean isn't there a way to do it on the Win2k3 server?
    You can install powershell on windows server 2003.
    Reply With Quote Quote  

  14. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,145

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); MCSA 2016/2012/2K3/2K; MCSE:S 2K3/2K; MCSE:M 2K3/2K; MCTS:Exch2K7; EMCSA:CLARiiON; Linux+; Security+; A+
    #13
    Quote Originally Posted by binarysoul View Post
    I then logged in as the local administrator on a PC and added a user wsmith and gave it admin rights on the PC. Since there was already a prfile created under c:\documents and settings\wsmith, Windows created another user profile called PCNAME.wsmith. So now when the user logs in to the domain they have admin rights on the PC.
    I think you are saying that you (as the local Administrator account on the PC) created a new user account wsmith on the PC, probably using Computer Management -> Local Users and Groups, then you added that user to the Administrators group? And then the domain user ended up with admin rights? That doesn't make sense... All that you should have had to do is add the user "DOMAINNAME\wsmith" to Administrators. I think that's actually what you did, since that guy actually ended up with rights. Creating a local account for wsmith isn't required at all.

    I might be misunderstanding you though.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
    Reply With Quote Quote  

  15. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #14
    Quote Originally Posted by blargoe View Post
    I think you are saying that you (as the local Administrator account on the PC) created a new user account wsmith on the PC, probably using Computer Management -> Local Users and Groups, then you added that user to the Administrators group? And then the domain user ended up with admin rights? That doesn't make sense... All that you should have had to do is add the user "DOMAINNAME\wsmith" to Administrators. I think that's actually what you did, since that guy actually ended up with rights. Creating a local account for wsmith isn't required at all.

    I might be misunderstanding you though.
    I believe that what Bin wanted to say was that now when the user logs on with Domain account the user does NOT have admin rights. The two accounts DOMAIN\wsmith and %computername%\wsmith would not have the same SID and would not be confused by the SAM on the local PC. Therefore DOMAIN\wsmith should not have admin rights unless explicitly having been granted admin rights. I believe he miss typed and that's why it seems confusing.

    It seems like this is a new Domain that had previously opperated as a Workgroup.
    Reply With Quote Quote  

  16. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #15
    Ok, for those who would like it I have created a modified version of the PowerShell script in the post I made before. It needs to be called with two parameters: the location of a file with the computer,username on each line and then the action to be performed (add or del) to either add the user to the local admins group or delete the user from the local admins group.

    PS C:> .\scripname.ps1 .\list.txt add
    as an example.
    I have not included any error checking, so if you fubar the params it might blow up.

    I have tested it but provide no warranty

    #Edit the variable bellow to the name of your domain. If the Domain Name is test.local, only enter test.
    $domain="test";
    $fileName=$args[0];
    $action=$args[1];
    #Get the list of computers and users and read them into an array.
    $a= (get-content $fileName)
    #Cycle through each computer/user and add or remove them from the local admins group.
    foreach($string in $a)
    {
    $b=$string.split(",");
    $strComputer=$b[0];
    $username=$b[1];


    $computer= [ADSI]("WinNT://"+$strComputer+",computer")
    $computer.name

    $Group=$computer.psbase.children.find("administrators")
    $Group.name

    # This will list what’s currently in Administrator Group so you can verify the result

    function ListAdministrators

    {$members=$Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
    $members}
    ListAdministrators

    # Even though we are adding the AD account but we add it to local computer and so we will need to use WinNT: provider

    if($action -eq "add")
    {

    $Group.Add("WinNT://"+$domain+"/"+$username)

    ListAdministrators

    }
    elseif($action -eq "del")
    {

    $Group.Remove("WinNT://"+$domain+"/"+$username)

    ListAdministrators

    }
    }
    Last edited by RobertKaucher; 08-14-2009 at 12:30 PM.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks