General discussion


make one group a member of another one

By shawnj985 ·
I need to make the domain users group a member of the local admin group on my windows 2000 pro. - SP4 pc. Not sure how to accomplished this.

NOTE: Basically make all of my users (domain users) who log onto the windows 2000 server on certain PCs a member of the local admin group of the affected PCs.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to make one group a member o ...

doesn't work that way because user account credentials are stored in 2 entirely different places. logging on locally [the machine] uses stored credentials on that machine. Logging in on the domain uses stored user account credentials stored on the domain controller.

Nary the two shall meet. You can't log on both locally and domain at the same time.

Collapse -

by CG IT In reply to

you could try importing the data say logging in locally and then do a remote access to the domain and import a security group from the domain but doubt that will work.

Collapse -

by D_V Ant In reply to make one group a member o ...

If you want the users to be admins on the local PC, just add the domain users group to the local admin group on the computers.

Right click on My computer
Select manage
Go to local users and groups
Select Groups
select the Administrators group
Add Domain users to this group

ANY domain user that logs on to this computer will have local admin rights.

This is not a very secure solution. I would only do this in extreme instances.

Collapse -

by shawnj985 In reply to

Poster rated this answer.

Collapse -

by curlergirl In reply to make one group a member o ...

On the Windows 2000 Pro machine, log on as a local admin. Go to Administrative Tools/Computer Management. Expand System Tools/Local Users and Groups. Click on Groups and then double-click in the right-hand pane to open the Administrators group. Click the Add button. In the group properties dialog box, make sure the location is set to the domain, not the local machine. You should see all of the domain groups and users listed. Double-click the Domain Users group to add it; then click OK enough times to exit the dialog box and close Computer Manager. Now all users who log on with a domain account that is in the Domain Users group will have local administrator rights on that machine. REMEMBER - they CANNOT log on to the local machine at all; they can ONLY log on to the domain. Think of it this way - as long as the machine is connected to the domain and has a domain computer account, and the user selects to log on to the domain on the login screen, the workstation can authenticate the users and give them their local admin rights because it's actually using the domain credentials. However, it has no local credentials for those users (i.e., the user has no SID on the local machine), so they can't log on as local users.

Hope this helps!

Collapse -

by shawnj985 In reply to

Poster rated this answer.

Collapse -

by shawnj985 In reply to make one group a member o ...

This question was closed by the author

Related Discussions

Related Forums