admin rights for domain users

Hi, how can i grant local computer admin rights to the domain users on the same computer? Please help, thanks.

 

Put their domain account into the local administrator group.

 

Newt correct me if im wrong but the way I do it is like this:

Log on to local machine as Domain Admin.

Go to Control Panel / users and create a new user.

Create the Domain User account on the local machine and select Administrator as the local user rights.

Log off Domain admin and log back on as Domain User and your done.

 

You are doing it the hard way unless you need the user to have admin rights when the PC is not on the network.

For a user on domain bigplace with a username of funguy you would just need to open the administrator group on the PC and add bigplace\funguy to the group. Deed done. No need to create a local account.

 

I'm going to play with this today Newt.
I may have to get back to you for the exact steps for both Win2k and XP.

 

Ok maybe I'm missing something here.

Had a windows XP desktop with a local user account of Local-User in a workgroup of WORKGROUP

The is already a Domin account called Local-User on the DC

Joined the PC to the Domain and restarted.
Logged on as DOMAIN\Local-User

Now Local-User.domain has no privliges on the local machine. You with me so far?

So log off, Log back on a Domain Administrator.
Go to controll Paner / User Accounts
Guess What? No Domain account for Domain\Local-User Exists!

So I add the Domain\Local-User and put him in the Administrators and all is well.

What did I miss??

 

You didn't miss much. Confusion with user accounts maybe.

If you have accounts
domain\Ima-user
local-pc\Ima-user
The account names all look the same to people, Ima-user, but to the network and to the PC they are completely different.

The computer is reading the account's SID rather than the people-friendly display name.

If you add domain\Ima-user to the PC's local administrator group then domain\Ima-user is an admin on that PC but local-pc\Ima-user is not unless the accounts is also added.

If for some reason you later delete domain\Ima-user from the domain accounts and then add it back, the PC will be confused since the account it had as a local admin no longer exists. Same name but different SID so as far as the PC is concerned, completly different user account.

You can easily test this yourself.
- create a domain user account
- add it to security for any folder on a PC and the username will show in the folder security display.
- delete the domain user account
- create a new one with the exact same name
- now when you look at folder security there will be a string of numbers shown as an account in the security settings. It will be the SID of the now defunct account and is trash. The domain user account will be nowhere to be seen.