How2: User Rights on Domain but Admin Rights on Computer

We have a pretty simple setup: Single Win2K3 Server/DC and may 8 or 10
client machines. We have a couple of users that we have assigned only a user
group membership on the domain because we don't want them messing with files
on the server shares. But at the same time, the user level login restricts
them on their personal clients to where they can't install software or even
run some software. How do I keep them as users on the domain but at the same
time give them administrative (read, FULL) access to their individual client
machines? Thanks, tom c

 

Any domain account (i.e. plain user) can be added as a member
of a particular machine's Administrators group to make that domain
account an admin on that one machine.

However, this is not advisable.

Most applications by now, save for pretty old versions, can be made
to run without being admin. While admin is still required for config
changes and installs, etc. it is IMO far better to provide them with a
machine local account that is admin, for use when and only when it
is needed (config change, install, etc.), thus encouraging the use of
a plain (i.e. limited) user account for daily activity (i.e. their domain
account is just a member of Users on their machine, likely via the
membership of Domain Users in their machine's Users group).
Having everyone work day in day out as an admin is a recipe for
eventual disaster.

 

Dear Sir,

You sound like you have a lot of experience with Desktop Authority and
Security Explorer.

I am currently using DA 7.5. I anticpate purchasing SE in the next few
days.

I'd be curious about how much there is to do with DA and SE, and wondered if
we might exchange some messages? I've been using DA for over a year now,
but I know I'm not using it to its fullest potential.

Thank-you,

-David
(PS...anyone know of any ScriptLogic newsgroups?)