|
Home > Archive > Server 2003 > October 2003 > Group Membership Problem!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Group Membership Problem!
|
|
| RenatoBerana 2003-10-15, 10:43 am |
| I joined one user account on administrative group but it seems like its not taking effect, he is still unable to install software and do other administrative task.i ask him to logoff and logon again but stillsame problem. i have only one domain controller. what steps should i take, please help. | |
| jeff_j_black 2003-10-15, 5:39 pm |
| His account is a member of the administrators group on the local machine? | |
| RenatoBerana 2003-10-16, 3:07 am |
| I don't think so jeff! do i need to join this domain user account on administrator group on local machine? | |
| jeff_j_black 2003-10-16, 11:26 am |
| Correct, for the user to have extensive permissions to the registry and system folders such that they can install software, drivers etc. include their account or a group that they are members of in the local administrators group on the target machines.
.
I read just yesterday that there's a logon script that can automatically add the current user to this group when they logon. There are also scripts you can run to remotely add members to local groups.
We had to add the users to the local admins group because of software such as AutoCAD that writes extensive information to the registry on a per user / per machine basis. I don't like it personally, but have not had the time to test other scenarios. My guess is that there is a better solution, but would require some scripting and extensive testing. | |
| Tarzanboy 2003-10-16, 4:21 pm |
| Script to add a user to Local Admins group on a system
Jeff, this might not be the simplest method, but wouldn't it be possible to alleviate the permissions dillema on your systems by isolating the registry entries that the users need to modify and changing the ACLs on those rather than granting Local Admin access?
Cheers,
TB | |
| jeff_j_black 2003-10-16, 5:01 pm |
| Yes you are correct. I think the company I work for is a little behind the curve on Group Policy, etc. I questioned them heavily on why the wanted to make the users part of the local admins group. They did not want to budge on this issue at this time. At least it is better than they had it configured under NT. Then they had 'domain users' as a member of the local admins group. Now it is just that individual user for that workstation. It will get better bit by bit... Have fun all!!! | |
| jeff_j_black 2003-10-18, 11:40 am |
| I thought this article was pretty cool. I pasted it in it's entirety to ensure that credit where credit due is observed:
Oct. 15, 2003
MCP Magazine
http://MCPmag.com
Boswell's Q&A: Local Admin Access via Scripting
==============================
==============================
=====
THIS ISSUE SPONSORED BY:
- NEW Desktop Authority from ScriptLogic Corporation
http://info.101com.com/default.asp?id=3170
==============================
==============================
=====
==============================
==============================
=====
SPONSOR: ScriptLogic: Free 45-day software trial plus free t-shirt!
==============================
==============================
=====
Desktop Authority is a new robust software solution from ScriptLogic
Corporation. Proactive administration features found in ScriptLogic
Enterprise have been integrated with browser-based interactive
management and real-time remote control of Windows desktops. Eval
and get a FREE t-shirt! http://info.101com.com/default.asp?id=3170
==============================
==============================
=====
** Boswell's Q&A: Local Control
Bill: In our environment we set all users to have local admin
access to their PC. We manually add the Domain User to the Local
Administrators group of the PC they use. Is there a way via a
logon script to add the locally logged on user automatically to
the local admin group?
I came across the ADDUSERS.exe file, but this requires use of a
local admin account and prompts you for a password. I'm looking
to be able to have a user logon to their PC via our default
domain and, when the logon script runs, to automatically add the
users domain account into the local administrators group of the
PC without any user intervention.
--Daniel
/--------------------------------------------------------------\
| GOT A WINDOWS OR EXCHANGE QUESTION OR NEED TROUBLESHOOTING |
| HELP? Or, perhaps you're looking for a better explanation |
| than what's provided in the manuals or a TechNet article? |
| Describe your dilemma in an e-mail to Bill at |
| mailto:boswell@101com.com; the best questions get answered |
| in this column. |
| |
| When you send your questions, please include your full first |
| and last name, location, certifications (if any) with your |
| message. (If you prefer to remain anonymous, specify this in |
| your message but submit the requested information for |
| verification purposes.) |
\--------------------------------------------------------------/
Daniel: I think I have a good solution, but it uses Group Policy
Objects so it only works if your clients run Windows 2000 or XP.
Here goes:
There's a Security Group Policy called Restricted Groups. This
policy allows you to specify the membership of a group on a
local machine or in the domain. The policy setting is in
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups.
When you test this policy, be sure to create a test GPO and link
it to a test OU. You don't want to cause havoc on your desktops
during testing if you accidentally overwrite a critical member
in a critical local group.
Create the policy setting by right-clicking the Restricted Groups
icon and selecting Add Group from the flyout menu. This opens an
Add Group window.
Don't click the Browse button. This allows you to browse the
domain, but you want to control the membership of a local group.
Instead, just type the group name into the field exactly as it
appears in the local group listing. For example, to control the
membership of the local Administrators group, type
"Administrators". (The policy entry is not case-sensitive.)
When you click OK, a Properties window opens. The window has two
parts: "Members Of This Group" and "This Group Is A Member Of."
Click Add next to the Members Of This Group field. The Add
Member window opens. Click the Browse button and browse for a
group called INTERACTIVE. This is a well-known SID representing
the user that has logged on at the console of the machine.
Putting the Interactive group into Administrators gives local
admin privileges to whoever logs in at the console. Use a bit of
caution here, because some applications finesse the local logon
feature for network clients. For example, the IUSR account in
IIS is given local logon, so you don't want to apply this policy
to any machines running IIS or Personal Web Services. To be
completely safe, don't link this GPO to any OUs that contain servers.
Because the Restricted Groups policy overwrites the current
content of the specified group, you'll need to also add the
Domain Admins group and the local Administrator account to this
restricted group policy. Don't browse for the Administrator
account; just type the word "Administrator" into the Add Member
window. Otherwise, you'll add the domain Administrator account
and the local Administrator account will not have admin rights.
As soon as you click OK on the list of names, the policy gets
written to Sysvol. If you wait for 90 to 120 minutes, the
standard background refresh at the clients will pull the policy
from Sysvol and the security engine will apply the policy to the
local SAM. If you want to hurry up the process for testing, run:
GPUPDATE
at a Windows XP desktop or:
SECEDIT /refreshpolicy machine_policy
at a Windows 2000 desktop. Use the Computer Management console
to see the local accounts and groups and verify that the
Administrators group has the members you specified.
A final word of caution. Some applications require local
administrative access. These apps typically install a member in
the local Administrators group. Before you put this Restricted
Groups policy into production and overwrite all the current
membership entries, you'll want to sweep the Administrators group
on your desktops to find any non-standard members. Here's a brief
script that obtains a list of member computers in a domain and
prints out the membership of the local Administrators group:
Set RootDSE = GetObject("LDAP://RootDSE")
domainDN = RootDSE.Get("DefaultNamingContext")
Set connection = CreateObject("ADODB.Connection")
connection.Provider = "ADsDSOObject"
connection.Open
Set command = CreateObject("ADODB.Command")
Set command.ActiveConnection = connection
Command.Properties("Page Size") = 3000 ' big page size for
' lots of computers
Command.Properties("searchscope") = 2 ' search entire domain
Command.CommandText = "SELECT AdsPath, cn FROM 'LDAP://" & _
domainDN &_
"' WHERE objectcategory = 'computer'"
Set rs = command.Execute
On Error Resume Next
Do Until rs.EOF
computerFlatName = rs.fields("cn")
WScript.Echo _
"Members of Adminstrators local group on " & _
computerFlatName
Set administrators_group = GetObject("WinNT://" & _
computerFlatName & "/administrators,group")
If Err.Number <> 0 Then
WScript.Echo vbTab & "Computer not available."
Else
For Each member In administrators_group.members
WScript.Echo vbTab & member.name
Next
End If
Set administrators_group = Nothing
Err.Number = 0
WScript.Echo vbNL
rs.MoveNext
Loop
You can modify the script to use an OU rather than the entire
domain to reduce the network traffic.
Hope this helps.
--Bill Boswell
Comment on this article:
http://mcpmag.com/columns/article.a...ialsid=614#post
Contributing Editor Bill Boswell, MCSE, is a principal of The
Windows Consulting Group and author of "Inside Windows 2000
Server" and "Inside Windows Server 2003"
( http://tinyurl.com/cw8c ), both from Addison-Wesley. He's also
MCPmag.com's "Windows Insider" columnist
( http://mcpmag.com/columns/insider ). You can contact him at
mailto:boswell@mcpmag.com .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~
CONTACTING MCP MAGAZINE:
Customer Service:
-----------------
- Print Issue: 866-293-3194 (U.S.) or 402-293-3194 (international),
8 a.m. to 5 p.m. Central time Monday through Friday.
- Newsletter problems: mailto:mcp@bellevue.com
Newsletter Feedback: Michael Domingo, Editor,
mailto:Michael.Domingo@mcpmag.com
ADVERTISERS -- Want to sponsor this newsletter? Contact
Matt Morollo at mailto:mmorollo@101com.com.
Microsoft Certified Professional Magazine
101communications LLC
16261 Laguna Canyon Road, Suite 130
Irvine, CA 92618
Phone 949-265-1520
Fax 949-265-1528
==============================
==============================
========
Encourage your peers to excel! Please forward this e-mail to your
interested associates. If you've been forwarded this e-mail and would like
to subscribe, please visit:
http://lists.101com.com/NLS/pages/main.asp?NL=mcpmag
FREE Subscription To Microsoft Certified Professional Magazine!
If you're an experienced IT professional who works on Windows
networks, sign up for your free subscription to the digital
edition of Microsoft Certified Professional Magazine.
Monthly issues contain everything you'd find in the print
version, plus more! We'll deliver the digital edition to you,
created in Adobe Acrobat PDF format, to any part of the world
with no mailing delay! Readers get career advice, instructive how-to's,
tutorials, exam tips, our annual salary survey, in-depth feature
articles, case studies, unbiased product reviews, and much more!
Subscribe for FREE today and see why over 100,000 MCPs
rely on this career-shaping tool every month.
Click here to start your subscription!
http://subscribe.101com.com/mcpmag/digsub/?p=enews1
Are you a developer working with Microsoft products? If so, then Developer
Central may be for you. This free, monthly newsletter includes news,
reviews, and opinions for developers. Just click here to sign up for your
own copy: http://lists.101com.com/NLS/pages/m...mag&o=developer
Find other related newsletters and sign up today.
http://lists.101com.com/NLS/pages/main.asp?NL=mcpmag
Copyright 2003 101communications LLC. MCP Magazine News may only be
redistributed in its unedited form. Written permission from the editor
must be obtained to reprint the information contained within this
newsletter. Mailto:news@mcpmag.com
--- | |
| Tarzanboy 2003-10-18, 3:28 pm |
| Interesting stuff, which would seem to meet some of your requirements, although giving local admin privs to INTERACTIVE would scare the crap out of me. In my non-expert opinion it would seem that to retain any semblance of security, you'd need to audit fairly heavily and have the results saved to an external system.
Cheers,
TB | |
| jeff_j_black 2003-10-18, 3:38 pm |
| Still, INTERACTIVE would be based on only those who have rights tp log interactive. |
|
|
|
|