Hi,

Windows by default assign the domain admins group to the local
administrator group when the PC firstly join to the domain. Can someone
advice me how do I do that for a specific user?

Thanks

The simplest way to accomplish this would be to add that user to the Domain
Admins group...

hth
Marcin

Thanks, But I don't the account to be part of the domain admin though

Marcin wrote:

"Marcin" wrote:

NO!!!!!!!!
If you do that, the user can take control of the server over the LAN, and do
whatever mischief they like to it. And, then some.

The correct method for giving a user full local control is to use a
loginscript with a NET LOCALGROUP command,e.g.

net localgroup Administrators /add jsmith

Ths will give the user full control over the local computer, but without the
rights to remote-manage other computers.

Either that, or it can be achieved through group policy.

Hello OM,

For this you can use the Restricted groups feature form Active Direrctory
in aGPO:
http://www.frickelsoft.net/blog/?p=13

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Why can't you just right-click My Computer go to Manage-->Local Users and
Groups-->Groups and just add the domain account to the local administrators
group? That is how I always do it. Am I misunderstanding what is being
asked? After I join a PC to the domain, before I reboot the computer for
the changes to take effect, I follow my procedure above and it adds it no
problem (you do have to again supply an account with the proper credentials).
Then when I reboot the computer, the user's account is already added to
the local admins group and ready to go.

Thanks for all the input.

I guess what I want is this process is automatic and it is part of the
process when the machine is joined to the domain. We have couple more
admin. and sometimes one might forget to add the account to the local
admin group.

OM

Hello OM,

Restricted groups is a one time only configuration. If you add a myadmingroup
(create in Active directory) and the local administrator, you have all you
need. In the myadmingroup you add all accounts you like to be local administrator.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm