Link to home
Start Free TrialLog in
Avatar of AccessMaster
AccessMaster

asked on

Giving domain users local admin rights over their machines

Can someone tell me how to give domain users (2000 domain) local administrator rights over there machines.
The problem is I'm using Symantec Client Security and a windows 2000 domain user does not have local administrative rights over the machine and it's very restrictive and won't allow her to use or limits her access to a lot of programs.

I created a group policy but  I added everyone to the wrong administrators group and they had as much  power as my domain administrator (which was very scary for a minute).

So specifically how do i give the domain users administraive rights for the local machine.

Please be very specific.


SJ
Avatar of Debsyl99
Debsyl99

Hi
Try:
net localgroup Administrators /add "YOURDOMAIN\Domain Users"
Although I'd maybe use a security group on the domain, add the users you want and then add that group instead.

Deb :))
Avatar of AccessMaster

ASKER

O.K. Deb,

I'm trying to follow you. Where exactly is the locagroup administrators.
I've looked in Active Directory and I don't see such a group.
Do I need to create it? And if so how?



SJ
ASKER CERTIFIED SOLUTION
Avatar of Debsyl99
Debsyl99

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
O.K Great I think I understand.

Just to reiterate,

I need to create a security group in active directory - which will contain all of the domain users.
Then I need to visit each PC and type: net local group Administrators /add YOURDOMAIN\nameof securitygroup at the C:/ prompt

And that's it.

Let me tell you something that was strange that happened when I tried to manually add a domain user to the local administrative group on a PC. After she shut down for the day, when she came back in the morning and turned on the machine she lost all of the mapped network drives and she couldn't even open any apps (because she no longer had admin rights),
I used the admin account to add her domain user account to the local admin group. I'm still puzzeled as to why it did that.
I'm hoping this will solve this reverting back. Or do you think it may be another problem.

SJ

SJ
This could be applied to a computer start-up script I beleive to save you visiting each pc, but I'm not sure that's your problem.

Could be another problem actually - once added to a local user group such as administrators, a domain account should really stay there! Maybe there's a network or domain problem going on. First port of call for me (Probably because it's the easiest and quickest!) is to check out the event logs on both server and client - all of them, and note any errors. These are in event viewer - administrative tools - control panel (sorry- just don't know how much you already know so being safe!)

""I need to create a security group in active directory - which will contain all of the domain users."" - You don't need to, but it's easier to administer, so yes, do that,
and the rest - yes that's right (how many users have you got?). Maybe post your event logs first and we'll take it from there, but try it if you want to to see how it works,


Deb :))
Sorry that's localgroup (not local group)
I've got 100 users over 3 buildings so I'm definitely going to use the security group.

It's just one machine the reverting back is happening on. I think I might just wipe it.
I'll try this tonight or either early tomorrow before everyone gets in - I'm PRAYING that this works.
I've been battling with this for three weeks now.

What type of scripting language should I use or can you point to an article? Where is this script stored on the server or on the machines. Can I dump the script in a login.bat file.

Any help you can give would be great, I know I'm pushing it for just 70 points.

SJ
lol - yes you are! batch file will do it I think,

have a look at group policy - you'll need start-up scripts rather than logon scripts as logon scripts run under the permissions of the user account logging on. Save the command in a file, give it a .bat extension, apply it to a start-up script in an OU, make sure pc's within the OU have read and apply group policy permissions on the GPO and off you go, (Have a google for 2000 domain startup scripts) or you can post a 500 pointer and get stacks of help (and not just from me)!

Deb ;-)

Thanks for your help Debsyl99