active directory users rights

[q2418130103p]

You know how if you hvae a domain, you can login to any computer joined to the domain using an active directory user name? even if the name is not listed as one of the users on the computer?

well you also know how by default, an active directory user name like that with no matching local user name will only be given User privlages by default?

is there a way to manage the privlages of a user on the domain computers from the server with out going on the computer and adding a domain user (by using control userpasswords2 command in windows xp)?

[q2418130103p]

i understand i could use the Computer management snap in and connect to the remote computer and add the user there, but i find that to be a bit, well, too much work and seems like the poor mans way of doing it.

[faulkner132]

By default, Domain Users logging into a Domain Computer will receive permissions assigned to them by the Domain Controller. Only if you want to give users extra permissions on a certain computer (i.e. make them a local Administrator for their computer) would you have to add them to the individual computer's permissions.

[q2418130103p]

so i cant assign rights to a user to be a local administrator with out adding them to the computer itself?

so the only permissions i can assign from the DC are for network access and files etc...

is there any way to add the users to the local computers with out having to do it phsyicly on them (and with out remote decktop connection), like by using a snapin or soemthing?

[faulkner132]

Quote:

Originally Posted by q2418130103p so i cant assign rights to a user to be a local administrator with out adding them to the computer itself?

Correct... otherwise every Domain User would have local administrative rights to every machine in the Domain.

Quote:

Originally Posted by q2418130103p is there any way to add the users to the local computers with out having to do it phsyicly on them (and with out remote decktop connection), like by using a snapin or soemthing?

Not that I know of, the answer above is the reason.

[q2418130103p]

i just figured that since the computers were added to the domain, that i would be able to control who can administer them from the dc, seeing as the computers now have a trust relationship with the dc.

i read an article suggesting that i could make an OU of the computers i want to add local administrivae support to, then right click on it and run the delegate control wizrd, you ever tried that? i would just try it right now, but im not at the computer.

[mairving]

I found this on Google groups:

Quote:

What you can do is create a script that uses the Net group command with a variable for the user name to add them to the local Administrators account. The command would be: net localgroup administrators %usersdomain%\%username% /add This will take the currently logged on user and add them to the Local Administrators group on the workstation. You can run the script at logon. The following is an article that describes how to assign logon scripts. 322241 HOW TO: Assign Scripts in Windows 2000 http://support.microsoft.com/?id=322241

You would just have to be selective in who the script runs for.

[q2418130103p]

but what if you only wanted to script to run for certain users on certain computers?

[faulkner132]

Quote:

Originally Posted by q2418130103p but what if you only wanted to script to run for certain users on certain computers?

You can control what scripts runs for each user in the Active Directory Users and Computers control on your DC. As for controling the script for the user depending on the computer, I'm not sure.

[q2418130103p]

yeah, i knew about controlling scripts per users, and even doing it in an ou, but i need to make specifiec people admins of specifiec computers, im probably just gonna do it by hand