under a domain, how do i give users full control of their workstat

Discussion in 'Active Directory' started by Allan, May 18, 2007.

  1. Allan

    Allan Guest

    I'm connecting approx 50 machines to active directory. (to a domain)..

    we used to have 50 computers connecting to a winxp pro machine sharing
    files.. (time to get a server) The main purpose is to share files.. We were
    previously using a workgroup environment... I'm now running Server 2003
    Enterprise.. domains are fairly new to me.

    I notice when the local workstations are a member of a domain, it's pretty
    locked down (using default gpo settings), users can not change anything on
    their machines, (internet explorer settings, install new programs, windows
    update, click on the system time etc..)

    i'm contantly being bother with I'm not able to do this or that..
    How do I give full access to users, so that they can install their own
    programs, do whatever they want on their on local machines? pretty much like
    full admin access to their computers. (they can trash their local machines if
    they want, not really a concern) At the same time, I would still like a
    little bit of control over the users.

    Is it done though Group Policies? There are so many group policies, how am I
    going to tag every single one? How do I know which one does what? There's
    just too many.
     
    Allan, May 18, 2007
    #1
    1. Advertisements

  2. One way would be to visit each computer and put that user's domain account
    in the local admin group.

    Go to computer management (right click on my computer and select manage) -
    local users and groups - groups - right click on administrator and select
    add to group - add button and on the applet "select users, computers, or
    groups" make sure the location is focused on the domain not the local
    computer.

    Add the users domain account to the group.


    hth
    DDS
     
    Danny Sanders, May 18, 2007
    #2
    1. Advertisements

  3. Allan

    Allan Guest

    omg, to every single computer??

    what if a user wants to roam onto a different computer? how does this affect
    them?
     
    Allan, May 18, 2007
    #3
  4. Allan

    Anthony Guest

    Allan,
    To respond to your questions:
    1) There isn't an automated way to make one user a local admin of one
    machine. To do that you would have to have a mapping of users to machines,
    and Windows domains are basically engineered to make users independent of
    machine. However you can connect remotely to each machine through the
    Computer Management console and do it. You could write a script to do it. Or
    when you hand over a machine to a user you can do it then.
    2) You don't really want users to be local administrators. It's not the
    problem of trashing their PC. Its the problem of trashing the whole network
    with a virus, or some other way. There is also some liability that falls on
    you if you allow users to do illegal things with your machines. However it
    means that you need to automate the things that need admin rights, so there
    is some overhead in setting it up. Software distribution is the big one, so
    you might want to look for tools for that.
    3) It is true that there are thousands of policies. But many of them reflect
    settings that you can set on the PC. So if you start by deciding what
    settings you want to set on the PC, then you can look for the policy that
    does it.
    Anthony
    http://www.airdesk.co.uk
     
    Anthony, May 19, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.