Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Local Administrator Rights
Local Administrator Rights [message #156878] Thu, 25 June 2009 10:03 Go to next message
user  is currently offline user  Qatar
Messages: 74
Registered: October 2009
Member
AD Pros, please help me here.
What is the best way to give local admin rights to all users in the domain
(XP & 2003 AD). (I know its not good, but I have to). Someone pointed I
can use the Restricted groups feature in group policy. But how do I
actually do this. Should I simply add Domain Users group to local
Administrators group. If I do this, I think they can access each other's
machine using C$. Can I give them the rights, but prevent accessing the C$.
Or is there any other better way to it?
Re: Local Administrator Rights [message #156880 is a reply to message #156878] Thu, 25 June 2009 10:20 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
user <user@noemail.com> wrote:
> AD Pros, please help me here.
> What is the best way to give local admin rights to all users in the
> domain (XP & 2003 AD). (I know its not good, but I have to).

OK. Why do you think you have to? I'll bet you don't. :-)

> Someone pointed I can use the Restricted groups feature in group
> policy. But how do I actually do this. Should I simply add Domain
> Users group to local Administrators group. If I do this, I think
> they can access each other's machine using C$.

Yep. And do all sorts of damage to their own computers, and perhaps the
entire network (e.g., malware infestation or virus).

> Can I give them the
> rights, but prevent accessing the C$.

Only if you add each specific domain user to his/her own local
administrators group. This sucks.

> Or is there any other better
> way to it?

Yes. Don't grant local admin rights. If you have software that won't run
properly without that, figure out where in the registry and/or file system
the application expects to have access, and change the permissions
accordingly.
Re: Local Administrator Rights [message #156883 is a reply to message #156878] Thu, 25 June 2009 10:24 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

"user" wrote:
> AD Pros, please help me here.
> What is the best way to give local admin rights to all users in the domain
> (XP & 2003 AD). (I know its not good, but I have to). Someone pointed I
> can use the Restricted groups feature in group policy. But how do I
> actually do this. Should I simply add Domain Users group to local
> Administrators group. If I do this, I think they can access each other's
> machine using C$. Can I give them the rights, but prevent accessing the
> C$. Or is there any other better way to it?

Yeah, Domain Users should be good. I would avoid "Authenticated Users" since
those include users of foreign domains, too. You maybe don't want that.

As for the administrative shares, I guess this is something you will have to
live with. Users are local admins and have to power to do everything. With a
little tweaking, they can make GP settings undone (if wanted). You can
either force client machines to not share c$ at all (there's a custom ADM
template around, I think) or tweak share permissions on c$ -- the latter
would require scripting.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Local Administrator Rights [message #156908 is a reply to message #156878] Fri, 26 June 2009 02:08 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello user,

As said from the others, the best option is to make them NOT local admin.
Convince your boss about the disadvantages what can happen if they compromise
the network with Virus etc.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> AD Pros, please help me here.
> What is the best way to give local admin rights to all users in the
> domain
> (XP & 2003 AD). (I know its not good, but I have to). Someone
> pointed I
> can use the Restricted groups feature in group policy. But how do I
> actually do this. Should I simply add Domain Users group to local
> Administrators group. If I do this, I think they can access each
> other's
> machine using C$. Can I give them the rights, but prevent accessing
> the C$.
> Or is there any other better way to it?
Re: Local Administrator Rights [message #156920 is a reply to message #156878] Fri, 26 June 2009 06:34 Go to previous messageGo to next message
user  is currently offline user  Qatar
Messages: 74
Registered: October 2009
Member
Thank you very much Lanwench, Florian & Meinolf. You guys are really great.
You got me scarry - But gave me good reasons to fight my users and my boss


"user" <user@noemail.com> wrote in message
news:#h#a52Z9JHA.3544@TK2MSFTNGP04.phx.gbl...
> AD Pros, please help me here.
> What is the best way to give local admin rights to all users in the domain
> (XP & 2003 AD). (I know its not good, but I have to). Someone pointed I
> can use the Restricted groups feature in group policy. But how do I
> actually do this. Should I simply add Domain Users group to local
> Administrators group. If I do this, I think they can access each other's
> machine using C$. Can I give them the rights, but prevent accessing the
> C$. Or is there any other better way to it?
Re: Local Administrator Rights [message #156925 is a reply to message #156920] Fri, 26 June 2009 08:34 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
user <user@noemail.com> wrote:
> Thank you very much Lanwench, Florian & Meinolf. You guys are really
> great. You got me scarry - But gave me good reasons to fight my users
> and my boss
Good luck :)

>
> "user" <user@noemail.com> wrote in message
> news:#h#a52Z9JHA.3544@TK2MSFTNGP04.phx.gbl...
>> AD Pros, please help me here.
>> What is the best way to give local admin rights to all users in the
>> domain (XP & 2003 AD). (I know its not good, but I have to). Someone
>> pointed I can use the Restricted groups feature in group
>> policy. But how do I actually do this. Should I simply add Domain
>> Users group to local Administrators group. If I do this, I think
>> they can access each other's machine using C$. Can I give them the
>> rights, but prevent accessing the C$. Or is there any other better
>> way to it?
Re: Local Administrator Rights [message #156961 is a reply to message #156920] Sun, 28 June 2009 05:42 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello user,

You're welcome.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you very much Lanwench, Florian & Meinolf. You guys are really
> great. You got me scarry - But gave me good reasons to fight my users
> and my boss
>
> "user" <user@noemail.com> wrote in message
> news:#h#a52Z9JHA.3544@TK2MSFTNGP04.phx.gbl...
>
>> AD Pros, please help me here.
>> What is the best way to give local admin rights to all users in the
>> domain
>> (XP & 2003 AD). (I know its not good, but I have to). Someone
>> pointed I
>> can use the Restricted groups feature in group policy. But how do I
>> actually do this. Should I simply add Domain Users group to local
>> Administrators group. If I do this, I think they can access each
>> other's
>> machine using C$. Can I give them the rights, but prevent accessing
>> the
>> C$. Or is there any other better way to it?
Previous Topic:wWin2008 DC local area connection> Link layers
Next Topic:any effect on this change?
Goto Forum:
  


Current Time: Fri Oct 20 10:05:12 EDT 2017

Total time taken to generate the page: 0.02703 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software