Granting local admin rights to WinXP users

[sroka]

Have upgraded our single WinNT PDC server to Win2k and finally correctly setup WinXP users to logon the domain [after resolving a naming issue].

The AD is setup and WinXP users can use their assigned shares, but these users do not have control over thier local machines to add programs.

Is this by design in Win2K? How are local admin rights assigned through the AD, so that local users do not have to use the RunAs command - or is this the only way to install local programs on thier WinXp machines while connected to the domain.

Cheers

 

[mozingod]

You'd have to go to each machine, then Start->Control Panel->Users, and add their username under the Administrators group. By default they're in the Domain user's group, which is in the local user group on the machines.

Darrell Mozingo

 

[hewissa]

See this thread:

thread96-557664

Hewissa

MCSE, CCNA, CIW

 

[sroka]

The users had local admin rights prior to joining the domain, do I have to make them admin's [locally] again after they were joined.

Assume that I have to be logged in as an admin locally when I preform the above step...

 

[hewissa]

If they had local rights prior then that shouldn't change. Ideally, you would make a global group and assign the group local admin rights. Then you would only need to change the membership of the group.

Yes you would need to be an a domain admin for the script to work.

Hewissa

MCSE, CCNA, CIW

 

[jsd2003]

If the users had local admin rights prior to joining the domain, you will have to go to each machine and make their domain login a local admin. Prior to joining the domain is was their local login that had the local rights - separate from their new domain login. The alternative, as above is to make a domain group, then give that domain group local admin rights (but you still have to go to each machine).

 

[mattjurado]

JSD2003 is right. Now that you are logging into a domain from these workstations, even though the user account may have the same name, it is indeed, a different account. You need to add the domain user account to your local administrators group. Login to each machine as local administrator account. Go to Start, Settings, Control Panel, Administrative Tools. Open Computer Management, go to groups, and double click the administrators group. This is the group of users that has local administrative rights. Click Add, and where it says LOOK IN, change it to the domain (at this point you might have to type the domain administrator name and password), and select the user account(s) that will be accessing the workstation. Click OK when you are done.


Matt

 

[hewissa]

Yes. I agree. Not sure what I was thinking when I posted my reply. Thanks for clearing that up jsd2003 and sorry for any confusion I may have caused.

Hewissa

MCSE, CCNA, CIW

 

[billieT]

If you make them Power Users, they can install software anyway. Except software that modifies system files or services. And you're mad if you want to allow normal users to do that to their machines. Or do you make them rebuild the machines themselves when they c*ck it up? Giving people admin rights makes me cringe!!

 

[meacham]

There is a way to do it from AD, but it's a bit tricky.
See knowledge base artikel Q320065.

http://support.microsoft.com/default.aspx?scid=kb;en-us;320065

Wishing you the best...

Mr. Meacham