I’m not sure if this has been covered before, just finally figured out how to
get on this list after 2 years of working here. :)
Just thought I would share what I have come up with here at the Com Arts
Building with regards to making the local users administrators of their own
computers but not administrators of the network.
This can be done in a few ways.
First and probably the most common why is to just add the domain user to the
local Power Users group or the Administrators group on the local computer.
This will work fine but requires a visit or a remote connect to the local
computer. If you already have a large network this method takes too long.
Second, you can make all workstations in an OU have local administrator
access regardless of the user.
Create an OU for the computers e.g.: Unrestricted Computers. Move the
computers you want to change into the OU. For the Unrestricted Computers OU
do the following. This must be done from the server.
1. Right click the Unrestricted Computers OU and select properties.
2. Go to the Group Policy Tab
3. Select or create a group policy and click Edit.
4. Go to Computer Configuration\ Windows Settings\ Security Settings\
Restricted groups
5. While restricted groups is highlighted select action from the MMS toolbar
and select "Add group"
6. Click the "Browse" button
7. Select the following group "Administrators" and click "OK"; this is the
built-in administrators for the domain controller, not the domain/tree
administrator.
8. Click "OK" Again
9. Double-click "Administrators"
10. In the "members of this group" and click the "ADD" button.
11. Select the browse button and select "Domain Users" and "users"
and "system" and "administrators" and "domain administrators" click "OK"
click "OK" Click OK. If you don’t have some of the groups or can’t find them
that is ok.
12. Now, from the command line type "secedit /refreshpolicy machine_policy"
The "Domain Users" that log onto the select machines will be local
administrators.
There is one more way to make it dependant on the computer and the user.
Basically it is the same but you also maintain a group with a list of users
and then only the users in the list that log into the unrestricted computers
will have admin access. Replace this group with the domain users group when
making the policy.
Hope this helps someone. If you have more questions email me and I will help
fill the gaps.
Nicholas Zeidler
Network Administrator
Communication Arts & Sciences
E: [log in to unmask]
P: (517) 353-7253
|