Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain user needs profile upgraded to local admin

Status
Not open for further replies.
jerryk

jerryk

Programmer
Jun 13, 2001
82
US
I have a W2K AD Domain with XP pro clients.

I logged in a new domain user to a workstation, and XP created a local profile for the domain user.

That user now needs to be upgraded to local admin. But I can't figure out where to do it (In XP).

Control Panel / USers only shows local (non domain) users. My 2000 Pro laptop shows domain AND local.

My computer / advanced shows domain users but is only there to change to roaming/local profiles.

Where has Bill Gates hidden the screen to set domain profiles to local admin?

Many thanks for any help.
 
Sort by date Sort by votes
There are several ways to do this.

. logon as the local Administrator, add the user to the group Administrators with, Start, Run, lusrgmgr.msc You can do this through Control Panel, Administrative Tools, Computer Management, or by right-clicking My Computer, Manage.

It certainly would be a serious security flaw if any domain user could add themselves as local Administrators.

. This note suggests a usefull general solution:
. I have used this freeware tool on occasion, and like it:
. There are resource kit utilities to handle this as well. I know add users to groups will do so, and I believe cusrmgr.exe will do so with the -localgroup option. You can obtain many of these utilities as free direct downloads:
 
Upvote 0 Downvote
Thanks for your answer, I'm having a problem though....

lussrgmgr.msc only shows local users.

the user: domain\jsmith is not in the list, even though they're logging into the machine.

Furthermore, adding a user in lusrgmgr.msc doesn't offer a chance to specify a domain, so won't that create another local user who has the same name but is not the domain user?





 
Upvote 0 Downvote
This is frustrating. There must be a simple way to add domain users to a PC and upgrade them to local admin...

I must be ignoring something obvious.
 
Upvote 0 Downvote
Did you explore my third link?

The Resource Kit utilities, including the ones MS offers without charge, offer two utilities to do what you are requesting.

My original point #1 assumed that you:

. logon as local Administrator
. create new local user
. add new local user to local Administrators Group
. logon as new local user and authenticate with the domain

Again the suggestions above #2 and #3 were to offer more general solutions to the problem.

 
Upvote 0 Downvote
Aha...Thanks again. You've helped me determine where the gap in my knowledge is:

.... logon as new local user and authenticate with the domain

If I'm a local user (even local admin) how do I "authenticate with the domain" such that I can forever login as
user: joe
pwe: ****
domain: mydomain (not the local machine)?

I mean, I could login as local admin and do this:
start \\domainserver
..and that would give me a login prompt, but
that "authentication" would die when my session ended.

Thanks again for your help!
 
Upvote 0 Downvote
jerryk,

As the local Administrator, right-click My Computer, Properties, Computer Name.

Join the workstation to the Domain.

Logoff, and boot as the new username as discussed above.
 
Upvote 0 Downvote
First of all, we are all missing the boat. Administration of Domain Users is accomplished through Active Directory Tools. In this case, Active Directory Users and Computers Specifically.

To make a user a local administrator on a computer he/she logs into is accomplished by adding the Domain User Account to the Administrators group in the builtin folder.

Additionally, to make all members of a group local admins, make the group a member of BuiltIn\Administrators.

I strongly believe in role based assignments. Throw all the office staff into one group and the IT staff into another and so on....

Then, add the Office Users to Builtin\Users, Add Supervisors to builtin\Power Users, and IT to builtin\Administrators.

NOTE: BE FORE WARNED..... PROFILES ARE ACCESSIBLE BY LOCAL ADMINISTRATORS. ROAMING PROFILES ADD MORE COMPLEXITY WITH DATA SECURITY FOR LOCAL ADMINS. THIS IS SOLVED BY NOT PROPOGATING PERSMISSION FROM THE PARENT.

Hope this helps.
 
Upvote 0 Downvote
I agree with everything you said linney, but it is not clear to me that the machine name registration was done under AD in this case. Why, for example, is there no Domain box appearing under the logon?

In any case, AD registered machines can use the reskit tools I linked above.

What is unclear in this original poster situation, and unclear in my own mind, is whether my past habits are wrong or could be improved in this situation. This is in a situation without using Sysprep and/or unattended install features. Just a new box:

Bill's current practice:

. I install new XP OS on new machine, as Workgroup, with the same workgroup name as the eventual target Domain name;
. I create a new Administrator user, identical to my Domain Administrator name and password.
. I create any potential local users. I add them where appropriate as members of Group local Administrators;
. I know change System Properties, Computer Name, and identify a Domain instead of Workgroup, and give the specifics.
. I logoff, and login again with my local/Domain username and password.

If I was doing 50 or a thousand machines, I would do the process quite differently. But I thought the underlying user question had to do with an add to a Domain (it is still unclear whether AD is active in this particular case) a new box.

Help me out here.
 
Upvote 0 Downvote
I'll try the builtin suggestion.

My workstation was already joined to the domain before this user came on the scene, so creating users then joining the domain isn't an option....I think.
 
Upvote 0 Downvote
That was my guess. The trick is to name the workgroup identicly in all respects to the eventual Domain name.

I gave you my suggested steps above. Helmig's site: makes the same point:

"There are several reasons why you still need to logon using your local user-database, the most important: The Administrator permission to be able to modify the setup / configuration of the Windows 2000 system.

When you logon to the Domain, your username will NOT have any administrative permission for the domain (unless you are yourself the Domain administrator, but even then it is suggested that you connect to the server without administrative rights to avoid accidental deletion of vital server data).
The domain security system is now also valid for the local Windows 2000 system, not allowing to make changes to the setup / configuration.

If you need to make a change to the setup / configuration, you make a logon to the Local user-database, allowing to make the logon as a user with administrative permissions."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Change name not showing in user account 1
Replies
13
Views
1K
guitarzan
guitarzan
pjw001
  • Locked
  • Question
How to configure Bookmarks in Chrome 2
Replies
4
Views
749
pjw001
pjw001
Andrzejek
  • Locked
  • Question
How to Disable Google Chrome Password Manager 2
Replies
3
Views
1K
combo
combo
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
892
pjw001
pjw001
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
2K
Flinx
Flinx

Part and Inventory Search

Sponsor

Back
Top