immorall

We just implemented restricted groups a few days ago to control the "local" Administrators and what users belong to that group. We seem to now be having problems just with users with roaming profiles. The problems are sporadic ranging from outlook problems to programs not able to access certain files and to local rights issues. Does anyone have any idea on how this new policy would affect just roaming user profiles. Those users werent part of the "local" administrators groups before so it wouldn't have anything to do with them being removed from the "local" administrators group because of the Restricted Groups policy. Any ideas would be helpful. Thanks.

Alright, thanks for all your help.

Ok, how and where do you do that. I have looked several times in group policy and cant find an option for that.

We must be doing this the hard way or something. Basically what we want to accomplish is to have a sub-user in our domain to be able to do almost anything on the LOCAL machine. This includes changing usernames, installing software, changing IPs, installing drivers, changing computernames, etc.. Anything that a LOCAL Administrator would be able to do. However, we dont want that sub-user to be a domain admin and have domain admin rights. Before we used to just seperate them. Give the LOCAL Administrator account name and password to the user who needs to do the tasks on the local machine and then have the domain admin to perform the tasks you can't do as a Local Administrator. Well, this worked out fine until, if you read in my last post yesterday, the Local Administrator account got compromised, and we were trying to figure out some way to change the Local Administrator account on hundreds of machines. I got some good replies but they all involve using scripts. For one, scripts arent my strong suit and two, supposedely the scripts can be a security problem. There has to be some better way of delegating these tasks.

I was wondering if anyone knew of a way to change the local admin account on multiple machines in a domain instead of having to go to every account to change it manually. Whether there was some way through group policy or a script of some sort? Anything would be helpful. Thanks

Ok, I cant seem to solve this problem for the life of me. We have a 2003 server running ISA. It also is a DHCP server as well for some our clients. Everything worked fine for a while. Now, the DHCP server is not issuing out leases to any clients. There are plenty of leases to give out and it even shows in the DHCP statisitics that the DHCP server still has 100% of its leases to give out. The DHCP server also show's no Discovers, Offers, Request, Acks being sent AT ALL. I give a client a static IP on the same subnet as the scope and it is fine. It can ping the DHCP server, get out to the Internet, etc....I ran ethereal on the DHCP server's interface and it shows DHCP Discover packets on the interface, but it doesnt show Offers, Request, Acks, Nacks. I looked at the DHCP log and it shows no errors at all. It does show that it is trying to clean up its leases (normal). The DHCP server service is running. I verified this both in the services console and in the DHCP server interface. The DHCP server is authorized and the scope is activated. The ISA firewall doesnt have any deny filters at all and the subnet is defined as one of the internal networks for NAT. Its almost like the DHCP server (interface, not the GUI) sees the Discover packets, but is ignoring them. I set up another server with the same exact scope and options, on the Same subnet, and it gives out leases just fine. Anyone have a clue on what the hell this could be? Why the DHCP server would ignore the discover packets.

I was wondering if there was a way to limit a user to be able to log into the domain on a machine one a time. In other words, a user couldnt be logged into one machine and then go log into another machine, thus being logged into the domain twice

Thanks, I was wondering if there was a way to add a local user with a GPO. I didnt know about that command. Thank you all for your help.

Is there any other way? Both of your solutions here require adding a local account to the computer. With almost a 1000 machines, thats real time worthty. I thought maybe there was some way to automatically add a domain user account or group to the local computer with admin rights. I mean, I would think there would be some way. How do organizations with thousands and thousands of computers do it? I know they dont give each memeber in their IT department domain admin or enterprise admin rights. So how would a IT tech or sub-administrator change a computer name or change an ip address a computer or install a program without having the Network Administrator with a domain admin or enterprise admin account come do it for them.

I have one domain and I want to create a sub-administrator account that can do various things on the local machine such as change the computer name, the ip address, and/or install a printer/program. Now from what I read, with domain admins and enterprise admins or any users that are part of those groups, thier account are already added to the local administrators account on the local machine. This is why when they log in, they can do these types of things: change the computer name, IP, printer/program, add to the domain, etc....So getting to my question, how would you create a user that you didnt want to add to domain admins or enterprise admins group, but still wanted LOCAL admin rights? In other words, I just want a user that doesnt have any domain administrative rights, but can log onto any machine and has full local admin rights? I tried doing a group policy that applied to that user that ENABLED them with those rights, but the GP didnt affect anything. I even put it ahead of the domain default GP just to make sure that wasnt affecting anything. I know there is a place in AD for "delegation", but most of that is just rights for the actual AD structure, not rights which im wanting on local machines. How would i go about doing this?