|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
This is a multi-part message in MIME format.
------=_NextPart_000_0020_01C7BEF0.9E541ED0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi all,
i was wondering how you give rights to a user logging into a domain =
computer, so that they can install software. I dont want them to have =
admin rights all over the network, but do want them to update certain =
programs we use internally.
is there a way to give them app install rights w/o being domain admin?
thanks,
george hardy
------=_NextPart_000_0020_01C7BEF0.9E541ED0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16481" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>hi all,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>i was wondering how you give rights to =
a user=20
logging into a domain computer, so that they can install software. =
I dont=20
want them to have admin rights all over the network, but do want them to =
update=20
certain programs we use internally.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>is there a way to give them app install =
rights w/o=20
being domain admin?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>george hardy</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0020_01C7BEF0.9E541ED0--
|
|
If you want to allow users full access to a member server, but not the domain,
you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
member server. This will grant any logged on user admin rights to the member
server when they are logged into it.
George Hardy wrote:
[Quoted Text] >hi all,
>
>i was wondering how you give rights to a user logging into a domain computer, so that they can install software. I dont want them to have admin rights all over the network, but do want them to update certain programs we use internally.
>
>is there a way to give them app install rights w/o being domain admin?
>
>thanks,
>george hardy
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1
|
|
You can use Group Policy Restricted groups to add specific users to the
local Administrators group of your domain member computers. See the links
below for more info on Restricted groups.
http://support.microsoft.com/kb/279301
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3251
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Regards,
Martin
MCSA: M
"George Hardy" <nospam[ at ]nospam.com> wrote in message
news:%237jSjrxvHHA.736[ at ]TK2MSFTNGP06.phx.gbl...
hi all,
i was wondering how you give rights to a user logging into a domain
computer, so that they can install software. I dont want them to have admin
rights all over the network, but do want them to update certain programs we
use internally.
is there a way to give them app install rights w/o being domain admin?
thanks,
george hardy
|
|
Carl:
This looks interesting. Does it only limit them to interactive logons at the
console and RDP? So they wouldn't be able to do any admin level stuff via
something like the comp mgt mmc from another computer?
Regards,
Martin
"CarlS via WinServerKB.com" <u35559[ at ]uwe> wrote in message
news:74baee2f6f5ed[ at ]uwe...
If you want to allow users full access to a member server, but not the
domain,
you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
member server. This will grant any logged on user admin rights to the member
server when they are logged into it.
George Hardy wrote:
[Quoted Text] >hi all,
>
>i was wondering how you give rights to a user logging into a domain
>computer, so that they can install software. I dont want them to have
>admin rights all over the network, but do want them to update certain
>programs we use internally.
>
>is there a way to give them app install rights w/o being domain admin?
>
>thanks,
>george hardy
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1
|
|
Correct. We use it on our user pc's. It gives whoever logs on locally the
local admin rights to install software. They can not, however, connect to any
other pc remotely, except under specific conditions. I.E, they put
themselves in the administrators group on one pc, and then log onto another
pc.
Martin X. wrote:
[Quoted Text] >Carl:
>
>This looks interesting. Does it only limit them to interactive logons at the
>console and RDP? So they wouldn't be able to do any admin level stuff via
>something like the comp mgt mmc from another computer?
>
>Regards,
>Martin
>
>If you want to allow users full access to a member server, but not the
>domain,
>you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
>member server. This will grant any logged on user admin rights to the member
>server when they are logged into it.
>
>George Hardy wrote:
>>hi all,
>>
>[quoted text clipped - 7 lines]
>>thanks,
>>george hardy
--
Message posted via http://www.winserverkb.com
|
|
"CarlS via WinServerKB.com" <u35559[ at ]uwe> wrote in message
news:74baee2f6f5ed[ at ]uwe...
[Quoted Text] > If you want to allow users full access to a member server, but not the
> domain,
> you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the
> member server. This will grant any logged on user admin rights to the
> member
> server when they are logged into it.
Ack! I hope you mean member computer. We don't allow our users to install
software on the workstations, but they cannot even logon to the servers.
/Al
> George Hardy wrote:
>>hi all,
>>
>>i was wondering how you give rights to a user logging into a domain
>>computer, so that they can install software. I dont want them to have
>>admin rights all over the network, but do want them to update certain
>>programs we use internally.
>>
>>is there a way to give them app install rights w/o being domain admin?
>>
>>thanks,
>>george hardy
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1
>
|
|
The trick here is that if you make someone an administrator, you might as
well admit that they own it - or will when they figure out how to defeat any
tweaks implemented to restrict their access.
/Al
"CarlS via WinServerKB.com" <u35559[ at ]uwe> wrote in message
news:74c7dc224db06[ at ]uwe...
[Quoted Text] > Correct. We use it on our user pc's. It gives whoever logs on locally the > local admin rights to install software. They can not, however, connect to > any > other pc remotely, except under specific conditions. I.E, they put > themselves in the administrators group on one pc, and then log onto > another > pc. > > Martin X. wrote: >>Carl: >> >>This looks interesting. Does it only limit them to interactive logons at >>the >>console and RDP? So they wouldn't be able to do any admin level stuff via >>something like the comp mgt mmc from another computer? >> >>Regards, >>Martin >> >>If you want to allow users full access to a member server, but not the >>domain, >>you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on the >>member server. This will grant any logged on user admin rights to the >>member >>server when they are logged into it. >> >>George Hardy wrote: >>>hi all, >>> >>[quoted text clipped - 7 lines] >>>thanks, >>>george hardy > > -- > Message posted via http://www.winserverkb.com>
|
|
|