Giving domain users local admin rights

I'm honestly a bit confused about user rights on Windows Server 2003.

Let's say I have 100 users whom I've created on a Win2k3 domain controller. When they login to the domain from a PC, they don't have any admin rights on that PC. I suspect I should work through GPO to do something, but was wondering if somebody had an answer.

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

vCole

You need to give them administrator permissions via the local machine.

genXrcist

binarysoul wrote: »

I'm honestly a bit confused about user rights on Windows Server 2003.

Let's say I have 100 users whom I've created on a Win2k3 domain controller. When they login to the domain from a PC, they don't have any admin rights on that PC. I suspect I should work through GPO to do something, but was wondering if somebody had an answer.

Thanks!

You should use Group Policy -> Restricted Groups to place whomever you want into the administrators group you please. Link it to the Site, Domain or the OU with the users in it and voila!

blargoe

Not sure what you're asking. Are you trying to make the primary user of the each computer a local admin on that PC? No way to automate that that I know of.

If you're just trying to make a particular domain group or domain user an administrator on all the PC's, that's pretty easy if you put all the computers into an OU and set up some Restricted Groups group policies for the Administrators group. Enforce "Members" to force the same list of users in the Administrators group when the GPO is refreshed, enforce "Member Of" to allow changes to the Administrators group but always refresh the membership with the users/groups you want to have added.

royal

Sure there's a way to automate this.

Used Restricted Groups to nest the Interactive Group to the Local Administrators group. Any user who logs onto their machine will be local admin ONLY for the machine they're logged onto.

Problem solved!

blargoe

I hadn't thought of that royal... that's not really what I meant though, I had in mind that he'd want each person's computer to have only have THAT person added to the administrators but leave other people out of the group, rather than making anyone who logs in with a valid domain user account an administrator.

RobertKaucher

What are the management issues involved. When the user moves or changes departments do they need to be removed from the group?

I could see you doing something like this with a PowerShell script.

Here is one you could start with:
PowerShell script to add/remove a domain user to the Local Administrators group on a remote machine - Ying Li(MVP) at myITforum.com

Next you would just need a valid list of computer/user names and write a loop.

binarysoul

Let me explain the situation.

Let's say about 20 WinXP were installed using Windows Deployment utility (Win2k3) and all PC's joined a domain. So when users logged in to the domain from their PC, they had limited access on that PC. Each user uses their own PC, so they're not logging in from different PCs.

I then logged in as the local administrator on a PC and added a user wsmith and gave it admin rights on the PC. Since there was already a prfile created under c:\documents and settings\wsmith, Windows created another user profile called PCNAME.wsmith. So now when the user logs in to the domain they have admin rights on the PC.

This doesn't seem a good solution. Royal mentioned about "Restricted Groups", maybe someone can elaborate on that as I have got no clue on this group

binarysoul

RobertKaucher wrote: »

What are the management issues involved. When the user moves or changes departments do they need to be removed from the group?

I could see you doing something like this with a PowerShell script.

Here is one you could start with:
PowerShell script to add/remove a domain user to the Local Administrators group on a remote machine - Ying Li(MVP) at myITforum.com

Next you would just need a valid list of computer/user names and write a loop.

Thanks! That's exactly what I wanted. But the million dollar question is whether I can do it without using that script! I mean isn't there a way to do it on the Win2k3 server?

RobertKaucher

The short answer is no. There is no built in method to easily add a single user to the local group on a single machine. The reason being the server only understands the AD groups, where as the local groups are stored in the SAM database.

The problem here is there is no easy/efficient way to do this via group policy. You would have to create an OU for each user and place that user's PC in the ou and then create a GPO for each of the OUs.

Your best sollution is to use something like powershell. You can even do that from your PC.

RobertKaucher

binarysoul wrote: »

Royal mentioned about "Restricted Groups", maybe someone can elaborate on that as I have got no clue on this group

The way Royal suggested would add any one who is logged on to the PC to be a local admin. This means that if I signed in to pc100 I would be a local admin. If I signed into PC101, I would also be a local admin. This does not seem like what you want.

Hyper-Me

binarysoul wrote: »

Thanks! That's exactly what I wanted. But the million dollar question is whether I can do it without using that script! I mean isn't there a way to do it on the Win2k3 server?

You can install powershell on windows server 2003.

blargoe

binarysoul wrote: »

I then logged in as the local administrator on a PC and added a user wsmith and gave it admin rights on the PC. Since there was already a prfile created under c:\documents and settings\wsmith, Windows created another user profile called PCNAME.wsmith. So now when the user logs in to the domain they have admin rights on the PC.

I think you are saying that you (as the local Administrator account on the PC) created a new user account wsmith on the PC, probably using Computer Management -> Local Users and Groups, then you added that user to the Administrators group? And then the domain user ended up with admin rights? That doesn't make sense... All that you should have had to do is add the user "DOMAINNAME\wsmith" to Administrators. I think that's actually what you did, since that guy actually ended up with rights. Creating a local account for wsmith isn't required at all.

I might be misunderstanding you though.

RobertKaucher

blargoe wrote: »

I think you are saying that you (as the local Administrator account on the PC) created a new user account wsmith on the PC, probably using Computer Management -> Local Users and Groups, then you added that user to the Administrators group? And then the domain user ended up with admin rights? That doesn't make sense... All that you should have had to do is add the user "DOMAINNAME\wsmith" to Administrators. I think that's actually what you did, since that guy actually ended up with rights. Creating a local account for wsmith isn't required at all.

I might be misunderstanding you though.

I believe that what Bin wanted to say was that now when the user logs on with Domain account the user does NOT have admin rights. The two accounts DOMAIN\wsmith and %computername%\wsmith would not have the same SID and would not be confused by the SAM on the local PC. Therefore DOMAIN\wsmith should not have admin rights unless explicitly having been granted admin rights. I believe he miss typed and that's why it seems confusing.

It seems like this is a new Domain that had previously opperated as a Workgroup.

RobertKaucher

Ok, for those who would like it I have created a modified version of the PowerShell script in the post I made before. It needs to be called with two parameters: the location of a file with the computer,username on each line and then the action to be performed (add or del) to either add the user to the local admins group or delete the user from the local admins group.

PS C:> .\scripname.ps1 .\list.txt add
as an example.
I have not included any error checking, so if you fubar the params it might blow up.

I have tested it but provide no warranty

#Edit the variable bellow to the name of your domain. If the Domain Name is test.local, only enter test.
$domain="test";
$fileName=$args[0];
$action=$args[1];
#Get the list of computers and users and read them into an array.
$a= (get-content $fileName)
#Cycle through each computer/user and add or remove them from the local admins group.
foreach($string in $a)
{
$b=$string.split(",");
$strComputer=$b[0];
$username=$b[1];

$computer= /SIZE][/FONT][/SIZE][/FONT][FONT=Courier New][SIZE=2][COLOR=#008080][FONT=Courier New][SIZE=2][COLOR=#008080][FONT=Courier New][SIZE=2][COLOR=#008080]ADSI[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Courier New][SIZE=2][FONT=Courier New][SIZE=2("WinNT://"+$strComputer+",computer")
$computer.name

$Group=$computer.psbase.children.find("administrators")
$Group.name

# This will list what’s currently in Administrator Group so you can verify the result

function ListAdministrators

{$members=$Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators

# Even though we are adding the AD account but we add it to local computer and so we will need to use WinNT: provider

if($action -eq "add")
{

$Group.Add("WinNT://"+$domain+"/"+$username)

ListAdministrators

}
elseif($action -eq "del")
{

$Group.Remove("WinNT://"+$domain+"/"+$username)

ListAdministrators

}
}