General discussion


Local Administrator Rights in a Domain

By asarak ·
Goodday guys,
i want to solve a problem.
The main program that we use, is a 3-tier using com+ objects, which are stored into
C:\Program Files\ComPlus Applications\env\
and also write into this directory.

Also at the setup i have to setup the component service, so i also need to have local administrator rights to do this.

I want to have a OU in my domain, which just single users (with almost no privileges), to have at this local path, administrative rights.

Is there any policy tip to solve it? Or Any other ideas??

Thanks for your help.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

One Solution that you can try...

by Izak Visser In reply to Local Administrator Right ...

Hi Asarak
One of the ways you can do it is by using a Cloning Utility together with Active Directory. I had the same problem with a 3rd party Database program and after struggling for weeks, I finally managed to get it to work perfectly. First thing you obviously need to do is create Global Security group in the Active Directory Infrastructure and name it (For practical reasons) "ComPlus Administrators". Now add the users that need to have Administrative Access to the C:\Program Files\ComPlus Applications\env folder to this group. On one single workstation, navigate to this folder, go into the properties of the folder, select the security tab, and click on Advanced and deselect the "Inherit from parent the permission entries that apply to child objects, Include these with entries explicitly defined here" checkbox. If it asks you what to do with these entries you should select "copy". Now remove any "Deny" Permissions you might encounter. Especially if it is set to deny access to the "Everyone" Group. Now add the "ComPlus Administrators" group to this folder and give them full access. After you have done this, you should use drive cloning software like Norton Ghost to copy these settings onto each and every computer you need. Just be careful though, make sure you have the right licenses and similar hardware sets otherwise you might sit in a pickle. After you have done this use a utility like NewSID to just reset the security Identifiers and rename the computer to its original name. Also read up on how cloning programs work, this will help greatly in the future.

Kind Regards


Collapse -

thank you a lot

by asarak In reply to One Solution that you can ...

Thanks Izak, i am going to try it thsi weekend....

thanks a lot.


Collapse -


by Ou Jipi je In reply to One Solution that you can ...

while you were doing all that, were you not scratching your head thinking there MUST be an easier way to do this? :)

I am not going to tell you exactly how, it would be too easy. Do some reading on "security analysis and configuration tool" mmc snap-in which should permit you to achieve what you want to achieve in a matter of a few hours (including testing). If you done it once, next time it will take you minutes (obviously you should always test things before applying to production machines, thus a few minutes + testing).

Collapse -

Scratching Heads :-)

by Izak Visser In reply to question

Well, I constantly scratch my head to see if there aren't easier ways of doing things. LOL, But I am also one of those "get 2 flies with one strike person" I have about 70 Computers with over 700 users on a ever changing AD Domain and I am using Roaming profiles. The biggest problem of course being that Roaming profiles are VERY sensitive to the slightest discrepancies. So by setting up a local computer to act as a template and cloning its image to all the other computers in my domain and just renaming them and applying new SID?s. I can manage turning a 6 week process into a weekend job whilst simultaneously eliminating inconsistencies caused by human error, make changes to domain wide security models?, allowing full integration with WSUS, implementing new technologies and programs and making sure each user has a fully stable system to work on, regardless of whichever computer they use.

Collapse -

Quick and Dirty

by asarak In reply to Scratching Heads :-)

It is fine to check with security configuration tool, but i have a simple domain with 30 users, and have to upgrade and do the right things to 28 remote sites and at least 500 pc's!!!!
so i need someting "quick and dirty".

thanks guys...

Also Izak, it is too heavy for me to do the "cloning", but i will checkit in the lab...

REGARDS from sunny Athens

Collapse -

How about a script

by asarak In reply to Quick and Dirty

Also i may fix the policy local at a pc and when i join any other in the domain i run a script to copy this policy localy..

Is that correct??

Collapse -

Interest Peaked :)

by Izak Visser In reply to How about a script

Hi Asarak

You might be onto something there, there are a few options I am currently Investigating

1. Using the IADsSecurityDescriptor interface to set policies through AD
2.Writing a .bat script that navigates to the neccesary file via the CD command and when it is there, just to apply Admin access to a certain group of users.
3.To export the specific registry entry into a dos script and include it in the logon script.

This has really peaked my interest <Grinning with Glee>

Collapse -

About Solution

by asarak In reply to Interest Peaked :)

Dear Izak, i need an advice, in the solution, you write that in a one single workstation need to go to the specified folder.....

and my Question is...

Is that single workstation added to domain or not??

Best Regards

Collapse -

RE: About Solution

by Izak Visser In reply to One Solution that you can ...

Dear Azarak

Yes. The Workstation must be a part of the domain otherwise it would not be able to recognize the Active Directory global security group ?ComPlus Administrators?. But to save you a lot of time as well as trouble, do the following: After you finished setting up and testing your computer, Take it of the domain, clone it and use NewSID to generate a new Security Identifier and to rename it for the domain. Then you can put the computer/s back onto the Domain and it shouldn?t give you any further hassles from there.

Download NewSID here:

Kind Regards

Collapse -

Creating multiple AD accounts????? Script??

by timnjohnson In reply to RE: About Solution

Hi Izak,

In a given day, I'm being asked to add a groups of users to AD. It's taking me sometimes a hour or two just to go through a list of new users. I know there's script out there that can do exactly that. I'm not heavy into scripting but I'd appreciate anything better than what I have!
Any suggestions, ideas, comments.


Related Discussions

Related Forums