Student worker's workstation rights

[cofeeadict]

We are using Active Directory and I currently have my student workers assigned to Administrators/Builtin and Domain Users Groups.

They are not able to install sofware or run Window's Updates.

I don't want them to have access to any of the servers or be able to make changes to the Directory.

What groups do I need to add them to?

 

[markdmac]

Get them out of the Administrators group because they can destroy your network.

If you want them to be able to install software/updates on just workstations, make them part of the local machines Power Users group.

If you are looking to have them Admin the servers, then make them part of the Server Operators group.



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[cofeeadict]

I'm not able to see a Power Users group in the choices.

 

[karenannette]

In a Win 2000 system I've got only system admins in the admin group. All others are either power user or restricted user. One person who unknowingly infested their machine with spyware, probably repeatedly, is now a restricted user with no problems. And this person doesn't know they are a restricted user, either. Made the spyware problem quit. And I'm willing to change over other staff if they cause problems, but most are power users.

After rebuilding one machine twice in a month, I've learned my lessons.

Security is a BIG issue in my building as it should be and I'm only running a 25 box network. NO ONE gets admin passwords or clearance except me and my backup person.

Good luck!
Karen

 

[markdmac]

Coffeeadict, you did not respond as to where you are trying to set the restrictions. Is this for a server or workstations?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[cofeeadict]

Mark,

Sorry. I'm trying to give the workers access only to the workstations but I cannot run around to each workstation to create an account for them. They need to log into the AD Domain. However, when I have them assigned to the Domain Users, they cannot install software or run Windows Updates. The only other memberships in AD I can give are "Administrators", "Domain Administrators" and so on. No "Power Users". Do I have a screwed up AD structure? Should I have "Domain Power Users"? makes me wonder why Microsoft does not give "Domain Users" enough rights to run windows updates or provide a group that would.

 

[markdmac]

You will find Domain Users on the local workstation. It is part of the workstatin security groups, not a domain one. You can remotely do the edits to add that. Just right click my computer, choose Manage. Then right click Computer management(local) and choose Connect to Another Computer.

If you want to try and automate it you can do some research on importing secedit security databases.

Your last and best option would be to install SUS server to get those updates down onto the machines automatically. SUS is free from Microsoft.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[cofeeadict]

I am using SUS unfortunately I have a lot of NT 4.0 machines in the mix too.

 

[markdmac]

Oh you poor unfortunate soul.

Time to push for some upgrades. Good luck to you.


Regards,

Mark