Guest Laphan Posted November 24, 2007 Posted November 24, 2007 Hi All I had a problem whereby the teachers couldn't use their home internet on their 'domain-linked' laptops because of the limited access that they get. Didn't want to make them part of the domain admins groups so somebody suggested that I add the domain users group (which they are part of) to the laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ Admins. Is this OK to do? They seem to be able to get to the TCP/IP bit now, but what other 'doors' have I opened to the blessed teachers by doing this? Can they install/uninstall software now??? Thanks Laphan
Guest Pegasus \(MVP\) Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins "Laphan" <admin@DontSpam.com> wrote in message news:exPmZfqLIHA.4456@TK2MSFTNGP03.phx.gbl... > Hi All > > I had a problem whereby the teachers couldn't use their home internet on > their 'domain-linked' laptops because of the limited access that they get. > > Didn't want to make them part of the domain admins groups so somebody > suggested that I add the domain users group (which they are part of) to > the > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > Admins. > > Is this OK to do? > > They seem to be able to get to the TCP/IP bit now, but what other 'doors' > have I opened to the blessed teachers by doing this? > > Can they install/uninstall software now??? > > Thanks > > Laphan > They will be able to install/modify/uninstall anything on their PCs and they have full access to all files and folders. They have no general access to server-based files but you should test this to be on the safe side.
Guest Kerry Brown Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins With XP there is almost no other way to allow users to use their computer for normal use. With Vista this will change somewhat with UAC as programs are updated to be Vista compatible. -- Kerry Brown Microsoft MVP - Shell/User http://www.vistahelp.ca "Laphan" <admin@DontSpam.com> wrote in message news:exPmZfqLIHA.4456@TK2MSFTNGP03.phx.gbl... > Hi All > > I had a problem whereby the teachers couldn't use their home internet on > their 'domain-linked' laptops because of the limited access that they get. > > Didn't want to make them part of the domain admins groups so somebody > suggested that I add the domain users group (which they are part of) to > the > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > Admins. > > Is this OK to do? > > They seem to be able to get to the TCP/IP bit now, but what other 'doors' > have I opened to the blessed teachers by doing this? > > Can they install/uninstall software now??? > > Thanks > > Laphan > >
Guest Florian Frommherz [MVP] Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins Howdie! Laphan schrieb: > Didn't want to make them part of the domain admins groups so somebody > suggested that I add the domain users group (which they are part of) to the > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > Admins. > Don't make them admins. That's way too much. If those laptops are on Windows XP, you can use the "Network Operators" group to let them change IP and network configuration. cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Guest Laphan Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins Hi Tried that and it wouldn't work. As soon as they got the network components list, ie Client for Networks, TCP/IP, etc, they couldn't click into the TCP/IP entry to go and edit it. Although I'm saying that I made them network operators via Active Directory control panel on the server! Should I have made the teachers network operators on the Local Admin setup of the laptop? Thanks Laphan "Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl... Howdie! Laphan schrieb: > Didn't want to make them part of the domain admins groups so somebody > suggested that I add the domain users group (which they are part of) to > the > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > Admins. > Don't make them admins. That's way too much. If those laptops are on Windows XP, you can use the "Network Operators" group to let them change IP and network configuration. cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Guest Florian Frommherz [MVP] Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins Howdie! Laphan schrieb: > Although I'm saying that I made them network operators via Active Directory > control panel on the server! > > Should I have made the teachers network operators on the Local Admin setup > of the laptop? Of course you need to make those changes on the client computers. Have a look at "Restricted Groups": http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true http://www.frickelsoft.net/blog/?p=13 cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Guest \RemS Posted November 24, 2007 Posted November 24, 2007 Re: Making domain users local admins "Florian Frommherz [MVP]" wrote: > Howdie! > > Laphan schrieb: > > Although I'm saying that I made them network operators via Active Directory > > control panel on the server! > > > > Should I have made the teachers network operators on the Local Admin setup > > of the laptop? > > Of course you need to make those changes on the client computers. Have a > look at "Restricted Groups": > > http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true > http://www.frickelsoft.net/blog/?p=13 > > cheers, > > Florian > -- > Microsoft MVP - Windows Server - Group Policy. > eMail: prename [at] frickelsoft [dot] net. > blog: http://www.frickelsoft.net/blog. > Assuming you are using cached credentials. It is recommended to create a new security group in AD and add that group to the local groups (using 'Restricted Groups'), rather then adding the user account directly to the local groups. Then use ADU&C to controll the members of the new AD group, by adding or deleting users to this group. once the AD group is added to the specific local group, Users just have to logof and logon at office, after you added them to the group in AD. Go through this thread about 'Restricted groups' http://www.petri.co.il/forums/showthread.php?t=12489 Alternatively you can controll the members of local groups by script: http://windows.stanford.edu/Public/Infrastructure/localgroup.html#Scripts In this case you add the new AD security goup to the local groups by computer startup script, instead of using the 'Restricted Groups'-computer configuration policy. If the users do not use cached credentials, then use the local account the users use to logon at home (or use a startupup script to add a new local user account to the computers). Then add that account to the group, you can do that also by using Restricted Groups. \Rems
Guest Al Dunbar Posted November 25, 2007 Posted November 25, 2007 Re: Making domain users local admins "Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl... > Howdie! > > Laphan schrieb: >> Didn't want to make them part of the domain admins groups so somebody >> suggested that I add the domain users group (which they are part of) to >> the laptop's local admins (ie via Computer Management / Users&Groups/ >> Groups/ Admins. >> > > Don't make them admins. That's way too much. If those laptops are on > Windows XP, you can use the "Network Operators" group to let them change > IP and network configuration. And don't add a generic AD group like "Domain Users" to *any* group with privileges on a workstation. This is why "\RemS" recommended you create a new AD group for the purpose - so that it can be managed. /Al > cheers, > > Florian > -- > Microsoft MVP - Windows Server - Group Policy. > eMail: prename [at] frickelsoft [dot] net. > blog: http://www.frickelsoft.net/blog.
Guest Mohamed Garrana Posted December 5, 2007 Posted December 5, 2007 Re: Making domain users local admins hey laphan have you tried settings TCP/IP alternate configuration for them to use at home what exactly is that they want to do at home and they cant? changing their tcp/ip configuration ? "Laphan" wrote: > Hi > > Tried that and it wouldn't work. > > As soon as they got the network components list, ie Client for Networks, > TCP/IP, etc, they couldn't click into the TCP/IP entry to go and edit it. > > Although I'm saying that I made them network operators via Active Directory > control panel on the server! > > Should I have made the teachers network operators on the Local Admin setup > of the laptop? > > Thanks > > Laphan > > "Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote > in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl... > Howdie! > > Laphan schrieb: > > Didn't want to make them part of the domain admins groups so somebody > > suggested that I add the domain users group (which they are part of) to > > the > > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > > Admins. > > > > Don't make them admins. That's way too much. If those laptops are on > Windows XP, you can use the "Network Operators" group to let them change > IP and network configuration. > > cheers, > > Florian > -- > Microsoft MVP - Windows Server - Group Policy. > eMail: prename [at] frickelsoft [dot] net. > blog: http://www.frickelsoft.net/blog. > > >
Guest Trevor Sullivan Posted January 14, 2008 Posted January 14, 2008 Re: Making domain users local admins Adding your "Domain Users" group to all the local admin groups on your systems is asking for trouble. Think about it ... if a virus executes as a user on one system, that virus will automatically have full rights to remotely install itself on everyone's system. At **LEAST** just add individual users to the admin group, if you're going to do it at all, but I would put some effort into investigating how to get around the admin rights problem altogether. Aaron Margosis has some excellent blog entries about working around LUA bugs. ---------------- Trevor Sullivan Systems Engineer Laphan wrote: > Hi All > > I had a problem whereby the teachers couldn't use their home internet on > their 'domain-linked' laptops because of the limited access that they get. > > Didn't want to make them part of the domain admins groups so somebody > suggested that I add the domain users group (which they are part of) to the > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/ > Admins. > > Is this OK to do? > > They seem to be able to get to the TCP/IP bit now, but what other 'doors' > have I opened to the blessed teachers by doing this? > > Can they install/uninstall software now??? > > Thanks > > Laphan > >
Recommended Posts