General discussion


Users Privileges in AD

By aseem_kumar_2001 ·
I got a windows 2000 domain
Have created some users in it.
On workstations either win2k pro or WinXP is running
Now the domain users that i have created are simple users, with all default settings.
No group policy of any kind has yet been applied

Now as the users are made part of simple users group they donot get the permission to install any software on their computers.

I got to know of a method and applied that, in which a user is made part of local administrators account by going into groups in computer management and adding the user in their.
The users get full privilages but then they also are able to access the domain controller with full rights. They are able to access the hidden shares, which i want to prevent.

What has to be done in this regard?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by ICB's corner In reply to Users Privileges in AD

Domain Users have limited rghts on workstations.
You can delegate temporarily an user to have administrative privilege over an organizational unit or give local administrator privilege by local administrators group.

Collapse -

by Dchristy In reply to Users Privileges in AD

There are a couple of ways to handle this.

The quickest way, depending on the number of workstations and users, is to add the users to the local Administrators group on the workstation. You can either add each user to just particular workstations and minimize the rights for all users, or add all users to each workstation. If you want all users to have rights to all workstations then you will want to create a group, call it Workstation Admins or something like that and add it to the local admin group on the workstation.

A second way to add the groups to all workstations is to use group policy to set what users/groups have rights on the workstations. The important thing to remember about this method is that it replaces all the members of the group. For example, if you set the policy to have Domain Admins and Workstation Admins be in the local admin group on the workstation, and then add a user, call it Bill, who is not in one of those groups, the next time the policy refreshes Bill will be removed from the local group.

As far as rights to the Domain Controllers this should not happen by adding them to the local admin group on the workstations. If you added them to the built-in adminstrators group on the DC then they will have rights. Definitely don't want to do this. If they are in that group on the DC remove them and they will no longer have access.

Collapse -

by aseem_kumar_2001 In reply to Users Privileges in AD

Let me try doing this with group policy. And check other things. Hey Dchristy do u know of anyplace on net where i can find some case studies on implementing of AD in a software firm.

Related Discussions

Related Forums