Giving an OD Network User/Group local admin rights.

Similar Messages

• Network User with Local Admin Privileges?

  I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
  All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
  I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
  Is it possible to authenticate against OD and obtain local admin privileges?

  Yes.
  You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
  Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
  If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
  Hope this helps - congrats on the opportunity

• Update says another copy is running and does not update if user does not have local admin rights

  An update message popped up when opening Firefox 9.1 Accepted the message to update. Got above error each time I open Firefox as a user without local admin rights.

  Hi,
  Please see [https://support.mozilla.org/en-US/kb/Updates%20reported%20when%20running%20newest%20version#w_delete-update-configuration-files this.]

• Local Admin Rights - add / remove ?

  Is there a way to add and remove local admin rights for users at logon / logoff in Server 2008?
  Workstations are XP sp3 and Windows 7 Sp1.  We have users who move from computer to computer and they need local admin access but we would prefer to not have Domain Users have local admin rights to all PCs.

  Hi,
  As far as I can see we can add user to local admin group at logon, but the user should relogon to get the membership, and if we also remove the user from local admin at logoff, then this equal to do nothing.
  To add a domain user to a single computer as local administrator using GPO, I would like to suggest you go through the below similar threads:
  Use GPO to add a single admin user to only one computer on the domain.
  http://nerddrivel.wordpress.com/2013/05/24/use-gpo-to-add-a-single-admin-user-to-only-one-computer-on-the-domain/
  How do I add a domain user to a single computer as local administrator using GPO
  http://social.technet.microsoft.com/Forums/en-US/0a3eda5c-28ef-418e-a13d-f47fe0bf1bc3/how-do-i-add-a-domain-user-to-a-single-computer-as-local-administrator-using-gpo
  Granting Local admin rights via Group Policy to a particular computer
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/4ceff330-0b72-4ed2-a55a-3089b504d2fc/granting-local-admin-rights-via-group-policy-to-a-particular-computer?forum=winserverGP
  Hope this helps.
  Regards, Yan Li

• Running Desktop software without local admin rights

  Is it possible to run Blackberry Desktop Software without the user having local admin rights? I have a number of users who have work BBs who need to use BDS, but I am in the process of correcting my predecessor's decision to give everyone local admin rights.

  Hello gheatley,
  Welcome to the Support Community!
  The BlackBerry® Desktop Software will need to be installed in a Windows® user account with local admin rights, but it can be used from within other user accounts with more limited permissions.
  Thanks.
  -FS
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Kudos! for those who have helped you.
  Click Solution? for posts that have solved your issue(s)!

• Network Account as Local Admin

  Hopefully an easy question, is there a way to specify a network account in WGM that will act as an administrator account on a local machine? Ideally I'd like to have network account that I could log into that would give me administrator access to the machines on the network (that I've joined to that directory.

  Unfortunately, I think the answer is no. There is a way of doing it, but it's a bit roundabout.
  The account that you want to have local admin rights will have to be set up in WGM as a Mobile Account (in WGM select the relevant user, select Preferences, Mobility, Account creation/Creation tabs set to "Create mobile account......." = Always).
  Sorry if I'm saying stuff you already know, but always best to start from the basics.
  Mobile Accounts means the user account is copied from the server to the local machine and stored locally. It is then updated to and from the server at regular intervals. Once the account exists on the local machine, you can then go into System Preferences/Accounts, authenticate as the current local admin and select the "Allow user to administer this computer" check box.
  The trouble is that you then have to do this for every computer you intend to manage, which is a bit of a pain.
  So in summary, yes, it can be done, but probably considering the amount of work involved (depends to a certain extent on the number of machines you are administrating), it's almost easier to have a standard local account on each machine, which is the way I do it on my network.
  You never know, there may be another way of doing it like you want, but I've never come across it or heard of it being done. If anyone out there knows any different, please feel free to enlighten us both, lol.
  Message was edited by: MattLucas1505

• Delay when starting accdb without local Admin rights.

  Hi,
  I have a problem with one application, the front end of the application is MS Access DB that's connects to our SQL Server over odbc driver If the user is in a local administrator group everything is working fast. When the same user is put in the user group
  without Administrative rights I recive a delay for about 60 sec then the error pops up
  After I hit ok a new SQL login pops up and I just press second time ok and the application starts without entering any user and pass. This is not happening if the user is in the built in Administrators Group.
  Thanks for the help
  fract

  Hi fract,
  as a Microsoft partner I have asked support for help.
  Here is their answer:
  Hi Partner,
  Thanks for your reply.
  Based on my research, the issue is identified as a compatibility issue that Access 2010 has with SQL Server 2008 R2. Access uses PERMISSIONS function to check the privileges. The PERMISSIONS function is deprecated in SQL Server 2008 R2. I haven’t found
  any workaround for this issue currently.
  You can check the more detail information at below link:
  PERMISSIONS (Transact-SQL)
  http://msdn.microsoft.com/en-us/library/ms186915(v=sql.105).aspx
  I think you need to access SQL Server 2008R2 with local admin right.
  If you have any further questions, please let me know.
  Best Regards,

• Installing SQL server with local Admin rights

  Dear DB experts
  I have a concern about installing SQL server 2000 on win 2003 with out local admin rights
  I have delegated local admin rights to a Domain user.  that user can install and configure SQL with out any issues or its is a must to install SQL using local administrator account   pls advise.
  Regards
  Rabbani
  RaSa

  Hi Syed_R,
  SQL Server 2000 was out of support in SQL Server Forums since April,2013. You can install SQL Server 2005 or later version and more experts will assist you.
  As other post, the user that runs the SQL Server installer must have Admin rights on the server when installing. For local installations, you must run Setup as an administrator. If you install SQL Server from a remote share, you must use a domain account
  that has read and execute permissions on the remote share.
  In addition, in preparation for setting up Microsoft SQL Server on this system, you add the Setup account to the local administrators group, also the Setup account need to have certain user rights for avoiding SQL Server installation fails. Such as Local
  Policy Object Display Name, Backup files and directories and so on.
  For more information, you can review the following article.
  http://support.microsoft.com/kb/2000257
  Thanks,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• GPO - 2012 - Enforce Local Admin Right

  Hello,
  Just wondered if there was a way to deploy a GPO to enforce local admin rights for individual endpoints.
  We need a way to control who has local admin rights to what, but in this case we need to say grant local admin rights to Users A, B and C on workstations D, E and F only. 
  Other than creating a GPO 'per workstation' I don't see a way.  DFL / FFL will be 2012.
  Anyone got any ideas?
  Thanks
  Stuart

  Hello
  Thank you for the reply.  This issue is a little hard to grasp and to explain clearly.  I understand what you have said, I am fairly proficient with Group Policy.
  I want to be able to give one single user, access to one single PC and control it centrally.  I think that is a better way of explaining it.  So if I have 100 PCs and 100 users, and say 20 of those users needs to have admin rights on their own
  PC only and not on other PCs. 
  That is what I am trying to accomplish.  If I great a security group called 'Desktop Admins' then link a GPO to an OU where the 100 PCs are, then security filter by the security group, then everytime I add in a user, they will get local admin rights
  to all 100 PCs.  However I only wanted to grant them local admin rights on one PC.  That being their PC.
  I want to manage this centrally rather than remotely assigning local ACLs.  I also like GPO because if a local admin user decides he/she wants to give their mate local admin rights on their PC, GPO will overwrite it.
  Hope that makes sense
  Much Appreciated

• Generate a list of users who has admins rights in BO XI.

  Post Author: bstn82
  CA Forum: Administration
  Any one has an idea how to produce a list of users who has admins rights?

  Post Author: TAZ
  CA Forum: Administration
  launch query builder from the admin launchpad
  enter this query
  select * from ci_systemobjects where si_parentid=19
  this will give you a list of all the members of the administrators group.
  You can experiment with query builder and possibly ask for help in the DEV forum if you need to write a more complex query.
  Regards,
  Tim

• Local admin rights when Edit locally

  Hello, all!
  We have the same problem as in
  Local Admin rights to "Edit Locally" ?
  "The end users do not have administrator rights on their local PCs , they logon to the domain server with restricted rights. When it comes to portal, when trying to edit a document with "Edit locally" it is not possible to do is even if the user has all the rights for the document in the Portal KM configuration. When we make the user local admin, everything is OK"
  We are on SPS14, Windows XP SP2. Domain users can run corresponding applications and can create dirs or files in a temp directory. We also utilize env. variable SAPKM_USER_TEMP but with no success.
  Could yoã please suggest, how to find rights needed to execute Local Edit. Are there any way to trace this Docservice ActiveX?

  Hello Roman,
  here a note which describes a solution for a user account wuth restricted rights:
  The Edit Locally activex will be installed based on following
  installation steps:
  The browser will recognize that the KM DocService activex has to be
  started.
  In case of the activex isn't installed on the the PC, it will be
  downloaded from the KM server (...etc/docservice/docservice.cab)
  The browser will extract two DLLs from the docservice.cab file
  (docservice.dll and sapkmprogressplayer.dll) and register them on the
  local PC. To see if the installation succeed you can open within the
  browser following dialog: Tools/Internet Options/Settings/View Objects,
  look for program file SAP KM DocService Control.
  Registry keys in following areas will be created:
  Area HKEY_CLASSES_ROOT:
  HKCR\AppID\{5F8983A6-347C-46B9-BA7A-1B87E5DAE0BC}
  HKCR\ProgressPlayerMod.ProgressPlayer
  HKCR\ProgressPlayerMod.ProgressPlayer.1
  HKCR\CLSID
  HKCR\TypeLib
  Area HKEY_LOCAL_MACHINE:
  HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Down
  Downloaded Program Files/DocService.dll
  HKLM\Software\Microsoft\Code Store Database\Distribution Units\
  When finishing these steps successfully the installed version can be
  located within the browser dialog Tools/Internet Options/Settings/View
  Objects SAP KM DocService Control and den KM DocService will
  start loading the document content from the KM server and starting the
  corresponding application for editing.
  Installation with restricted user accounts:
  With restricted user accounts e.g. no access rights to create registry keys in the area of HKCR or HKLM etc., which lets the described installation fail, following installation procedure leads to success:
  Register the needed DLLs manually on the PC (e.g. via a shell command script) with a user account having enough access rights.
  1.1 Create an installation folder (don't use /windows/system32) on the PC and copy the DLLs (docservice.dll and sapkmprogressplayer.dll) to it (extract them from docservice.cab with a tool e.g. winzip).
  1.2 Open a command shell on this installation folder.
  1.3 Unregister possible existing versions with the following command:
  "regsvr32 docservice.dll /U " and "regsvr32 sapkmprogressplayer.dll /U "
  1.4 Register the both DLLs with: "regsvr32 docservice.dll" and "regsvr32 sapkmprogressplayer.dll "
  1.5 If the two registration steps fail check the permissions to write
  into the system registry.
  1.6 The installation folder do not need special permissions, the linkage to the DLLs will be done via the system registry.
  1.7 Additionally the following setting is mandatory to succeed the installation:
  Disable the "ActiveX Version Check" function within the KM Configuration
  SystemAdministration->SystemConfig->KnowledgeManagement->
  ->Configuration->ContentManagement->Utilities->Editing->LocalEditing-> ActiveX Version Check (Uncheck the checkbox)
  Setting a different TEMP directory:
  In cases that it is problematic to use the standard %TEMP% directory, setting the environment variable SAPKM_USER_TEMP pinpointing to a corresponding directory path (e.g. X:\SHARES\USERS\xxx\CheckedOutDocuments) will be also supported. If the access to that directory fails the standard %TEMP% directory will be used as fallback.
  Hope this helps,
  Michael
  Message was edited by: Michael Braun

• Old/Legacy application requires Local Admin Rights to open Reader

  Hi,
  I've got few users who has a very old application. The app generates certain report in PDF format and then it's supposed to open it up in Adobe Reader. Currently, the users are using Adobe Reader version 6.
  I'm trying to get these users upgraded to latest version of Adobe Reader. After some testing, it seems that this old application works fine if the users are given Local Admin Rights to the computer. The application can successfully generate its reports and then open it up in Adobe Reader.
  The users are running on Windows XP SP3. While testing, I gave users full access to "C:\Program Files\Adobe\" and the legacy application's installation folder, since I'm not sure why the Local Admin Rights allows Reader to open. However, this didn't seem to help.
  Is there anything you can suggest in this case?

  Chris Will wrote:
  >
  http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_In staller_Full.exe%3E
  >
  > HTTP 404 Not Found.
  What's with the %3E entity on the end of the URL you posted?
  What
  happens if you remove it ;-)
  Here's a tinyurl that hopefully won't wrap (being the reason
  I bracketed
  the original in with <> characters)
  http://tinyurl.com/2f2brm

• GroupWise 6.5.7 distribution without local admin rights

  I would like to distribute the GroupWise 6.5.6up1 (6.5.7) client
  installation (from 6.5.1).
  Im using the setup.cfg and setup.ini to have an unattended installation.
  It is working great with local admin rights.
  Now I would like to distribute this version with ZENworks. Im using the
  workstation object (association) so the distribution will take place when
  the workstation starts up.
  But (as far as I can see) the registration of DLLs will not take place.
  What kind of alternatives are there to distribute GroupWise without local
  administrator rights?
  Thanks.
  Armand.

  Thanks for the reply.
  The .aot files give problems, dll files are missing (the known
  vslwp7.dll) and I found a lot of bad experiences on the forums with the
  viewer etc.
  Armand.
  > I've been using the AOTs included with the GW Client (Zen directory). =
  > They import into Zenworks easily and have worked well for me the last 2 =
  > upgrades.
  >
  > >>> <[email protected]> 10/11/2006 1:34:27 AM >>>
  >
  > I would like to distribute the GroupWise 6.5.6up1 (6.5.7) client
  > installation (from 6.5.1).
  > I=92m using the setup.cfg and setup.ini to have an unattended installation.=
  >
  > It is working great with local admin rights.
  >
  > Now I would like to distribute this version with ZENworks. I=92m using the
  > workstation object (association) so the distribution will take place when
  > the workstation starts up.
  > But (as far as I can see) the registration of DLL=92s will not take place.
  >
  > What kind of alternatives are there to distribute GroupWise without local
  > administrator rights?
  >
  > Thanks.
  > Armand.
  >
  >

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.