Jump to content

2K3 User question

hons

By hons
in Windows 2000/2003/NT4

 Share

Recommended Posts

hons

hons

Posted
Posted

I'm a Domain Admin in the network, I want to add the "Domain\Users" into the "Power Users" group in the local computers. Is there any way I can add in on the server instead of going to each loacl machine???

Thanks.

Link to comment
Share on other sites

neo

neo

Posted
Posted

right click on My Computer goto Manage

in Computer Management->Local Users and Groups

U can create User and by clicking on user's a/c add to domain by navigating to Member of tab

Link to comment
Share on other sites
hons

hons

Posted
  • Author
Posted

Thanks guys,

The reason that I need to add the users onto the local computer is because I want the users be able to run the update of the program by themselves. Right now the domain users don't have the right to install programs.

I want to do it at the simplest way, I don't want to go to each computer to add the user.

Could anybody help on this?? If we can do it through GP, what are the steps???

Thanks again. :blushing::blushing:

Link to comment
Share on other sites
nmX.Memnoch

nmX.Memnoch

Posted
Posted
The reason that I need to add the users onto the local computer is because I want the users be able to run the update of the program by themselves. Right now the domain users don't have the right to install programs.

I want to do it at the simplest way, I don't want to go to each computer to add the user.

Just so you know, you're sacrificing A LOT of security just to make things a bit easier. If you have a lot of users and want to do it correctly you should look into SMS.

Could anybody help on this?? If we can do it through GP, what are the steps???

First of all, I recommend downloading the Group Policy Management Console w/ SP1. It'll make managing Group Policy Objects (GPOs) much easier. Once you've downloaded it install it on the DC(s) (you can also install it on a workstation if you choose to manage your GPOs remotely).

Now open the console (Admin Tools > Group Policy Management) and navigate to Group Policy Management > Forest: [your.forest.name] > Domains > [your.domain.name] > Group Policy Objects. This will show you all of the currently available GPOs. By default you should have Default Domain Controllers Policy and Default Domain Policy. I recommend leaving these alone and creating new GPOs for each item that you want to force settings for. This way if you create a GPO that cause problems you can disable just that GPO without disabling all policies.

Right click on Group Policy Objects and select New. Name it something recognizeable like Workstations Restricted Groups. Once you've done that right click on the new GPO and select Edit. For this particular GPO you want to go to [GPO Name] > Computer Configuration > Windows Settings > Security Settings > Restricted Groups.

Right click on Restricted Groups and select Add Group. Type the name of the group (Power Users). On the next screen it'll give you the option of which users should be members of this group and which groups this group should be a member of. Under Members of this group click on Add and enter Domain Users, then click OK. You can now close the Group Policy edit window so that you're back at the Group Policy Management window.

Since you're only using machine settings in this particular GPO you should disable the user settings. This can be done by right clicking on the GPO, selecting GPO Status and then selecting User Configuration Settings Disabled.

After you've done this you need to link the GPO to the OUs that you want to apply it to. You want this to apply to your workstations so in the Group Policy Management console right click on the OU that contains your workstation computer accounts and select Link an Existing GPO. Select the GPO you just created. Once it's linked I always select to Enforce the GPO. To do that right click on the GPO link under the OU and select Enforced.

GPOs can be very powerful. You should do some research before applying anymore settings though. Even though you're giving all of your users Power User access, you can still restrict certain areas of the workstation using GPOs. The NSA website has some good documentation on securing workstations using Group Policies. If you use this just keep in mind that it's a guideline. Some of the settings can cause problems if improperly configured or used with older applications.

http://www.nsa.gov/snac/downloads_winxp.cf...uID=scg10.3.1.1

Link to comment
Share on other sites
hons

hons

Posted
  • Author
Posted

Thanks to nmX.Memnoch and other members' help. :hello:

nmX.Memnoch,

I understand that there is a high security risk to add the users to the power users group. Is there any other way that I can do the simlier work??

What I want to do is -

we have a application that need to be updated to a newer version and the update file needed to be downloaded from another company and run with admin right. I can logon to the local machine as admin and run the update but we have several hundred PCs!!! SMS is a good option but we don't update applications so often (maybe once a year) so we don't have plan to purchase it.

Thanks for your help again and awaiting for your reply. :blushing::blushing:

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

You could always try running the update in a machine logon script, as those run as the local SYSTEM account (you wouldn't necessarily have network access, so the install file would need to be local, but the script would definitely have rights as the SYSTEM account). It's worth a try in a test environment :).

Link to comment
Share on other sites
fizban2

fizban2

Posted
Posted

if you can script the installation to run with elevated access (ie runas with admin account or an account that had admin rights on the box) would that complete the update correctly? test it once. setup a machine and run the update by right clicking on it and doing a runas, use credentials that would have admin rights on the machine and see if the update would run successfully

Link to comment
Share on other sites
fizban2

fizban2

Posted
Posted
The only downside to that is that you would then have a script containing a clear text password of a user with admin privs on the workstations. :)

true true, just don't let anyone at the scripts ;) or use a account that is locked down.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...