Grant authority for local pc for domain user

[CrimeScene]

Hello all,

I have an XP machine which I successfully joined to a Win2003 Server Domain. FYI, I did not define a local profile for any user (other than the pre-existing administrator acct) on that XP client machine.

When a user logs into the domain at this client pc, they are not permitted to run things like Windows Update, nor can they work with the c:\windows\temp folder.

How can I delegate authority to a user so they have local "admin" rights (to the client machine only) after logging into the domain server? I am trying to avoid having two separate profiles; one on the local machine for local access .. and one on the domain server for domain access.

Thank you in advance for your time.
Ob

 

[markdmac]

I'd highly advise you not assign local admin rights to the user. This would give them the ability to do more damage than good. Better to assign the users as Power users which should give them the ability to do what you want.

Another and better option would be to remove the need for Windows Update and install the free SUS Server from Microsoft. SUS will deploy the updates to all of your Win2K and WinXP machines and give you the admin better control over what updates get pushed down.

http://www.microsoft.com/windowsserversystem/sus/default.mspx

To globally assign the users to the power users group on all of your computers, you shoudl do the following.

On an XP box launch MMC. Install the Security Configuration and Analysis and Security Templates snap-ins. Modify or create a new template (the SecureWS template is what I would use) Go to the Restricted Groups section and add a group called power Users. Now add Authenticated Users (from the domain) to this list. Click apply.

Right click the template and choose Save.

Now you can import this template into your security database and apply it.