Make a user a local admin on their machine but not affect other machines

Make a user a local admin on their machine but not affect other machines

Post by FurBo » Thu, 23 Oct 2003 23:58:41


Is there a way to make allow a user to be an administrator on their local
machine but not on other machines. Is this done through group policy and if
so can someone point me in the right direction?

Thanks in advance

Andy
 
 
 

Make a user a local admin on their machine but not affect other machines

Post by Marina Roo » Fri, 24 Oct 2003 00:06:45

On the machine itself, Control Panel, Users and Groups, make the user a
member of the local Administrators-Group.

Marina

"FurBot" < XXXX@XXXXX.COM > schreef in bericht

if

 
 
 

Make a user a local admin on their machine but not affect other machines

Post by Remove .no » Fri, 24 Oct 2003 00:08:50

Yeah, sure.

On the local machine, add them to the local administrators group. This will
give them total control over their own machine, but only domain level
permissions on the network, and those computers connected to it.

Be careful though, if this particular machine has more than one user, adding
him or her to the Administrator group will allow access to all files for all
users on that one machine.

Rich



if
 
 
 

Make a user a local admin on their machine but not affect other machines

Post by FurBo » Fri, 24 Oct 2003 00:34:03

Local user accounts dont apply because they are logging onto the domain not
the local machine. Im thinking its done through OU and group policy but im
not sure how to go about doing that.


"Richard Fleming (Remove .nospam)" < XXXX@XXXXX.COM > wrote in

will
adding
all


local
 
 
 

Make a user a local admin on their machine but not affect other machines

Post by Oli Restor » Fri, 24 Oct 2003 03:48:02

You're right that local accounts don't apply, but Richard was not suggesting
that.

He was suggesting that you add the user's DOMAIN account to the
administrators group on the LOCAL PC.

If you want to allow any user to be an administrator of a particular machine
only while logged in at the console, you could add the group called
INTERACTIVE to the administrators group. This will give admin access at the
local machine, but not over the network.

Bear in mind that you are allowing your users to look at and modify the
cached profile directories of other users if you do this. If Power User is
sufficient rights, use that instead.

The Group Policy feature you're thinking of is called Restricted Groups. Do
a search on support.microsoft.com for this and you'll find some good
articles.

Regards

Oli




not
im



and