How to make domain users local admins of their pc's 2

[computerjock33]

Other than adding the users to the domain admin group, how can I easily make the domain users, local admins of their pcs without having to go to each one of them?
thank you

 

[kmcferrin]

You would have to write a script that connected to each PC and put the Domain Uers group into the Administrators group.

But I recommend very strongly against doing that, as you will have no end of headaches with people breaking things that they don't understand, getting malware infections, etc.

And you DEFINITELY should never consider putting everyone in the Domain Admins group.

 

[computerjock33]

well the issue is that everyone currently has local admin rights (running netware for nos) moving to AD, so Im going to have to touch every pc then? I definitely dont want everyone in the domain admins group

 

[porkchopexpress]

When you move to active directory you can use restricted groups to manage this but i'll second what the others said you are asking for trouble people just can't help installing rubbish.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[computerjock33]

I completely agree, but since it all starts at our mgt level and there is NO policy established due to mgt...I dont really have a choice, unfortunately... at least not right now.......once I get AD up and going then I might tinker with certain group policies and narrow down some of it. I will take a look at the link porkchop, thanks

 

[lhuegele]

What we do here is have a security group that everyone belongs to - called "ADlocaladmins". This group is then given local admin rights on the workstations and is part of our standard image.

Yes, you're going to have to touch each machine initially, but after that you should be good to go as long as you add this group to local admins on each new computer you introduce to your network.

Good luck,

 

[porkchopexpress]

Do you use active directory lhuegele? If so then look into restricted groups it's far more flexible and will allow you change local group membership in future with just the change of a GPO.

 

[gmail2]

In addition to porkchop's post, just wanted to say that using restricted groups would also be more secure than adding that group into each PC manually. If you add a user to that group temporarially (ie, give them local admin rights) then there's nothing stopping them from adding their own account into the Administrators group on their PC, or worse still, adding Domain Users ... and even removing the Domain Admins group also if they wanted to be really nasty. With restricted groups, even if they do this, it'll all get overwritten next time policy is applied.

Just thought I'd add my 2cent for what it's worth

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[computerjock33]

porkchop, do you have any links that are more specific to applying the local admin rights via ristricted group other than the one you posted? I dont want to do or undo anthing that is unnecessary and make sure I get the config right as well. So for laptop users that log into a cached profile when not on the network, they will have limited rights unless manually added to local admin group, correct?
thanks again