Power User

[devilman0]

I am tring to figure out how to make a "Power User" group in 2kserver. I want to have read/write access to registry, winnt folder (2k pro & xp pro). Basicly administrator without all of the perks. Any Suggestions?

 

[snootalope]

Create a security group in AD, or just use the Domain Users, and then make the Domain Users group part of the the Power Users local groups on the local PC's.. HINT: you can use Computer Managment to do this remotely, if you have administrative rights, it makes it alot easier that visting each desktop.. On any PC, go into the local user account manager and hit the Advanced tab at the top, the the Advanced of the Advanced User Managment, click Groups, open Power Users, add the Domain users.. I only tell you this because this is the way we've had the best luck.. Let me know if you need further details..

Good Luck! "tis better to be thought of as a fool then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[devilman0]

There must be an easyer way than going to computer management-> connect to the computer-> adding domain users to power users's members: via script or something in active directory. I have 60 computers I must do this to. OR Is there a way to create one in active directory? through group policy? realy the problem i am having is through a program protected through Crypkey (alpine view). If anyone has had a symilar problem and has found a work around this let me know.

Thanks James.

 

[snootalope]

There might be an easier way, I have 70 pc's and I had them all done in less than an hour.. If you need to let them run one app that needs admin rights, I believe there is a "service" allow policy in GP, it's probably going to be under the User side of it if it is..

I experimented with that, but I look ahead a ways and realized there is going to be much more in the future so I just made them all power users.. "tis better to be thought of as a fool then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[devilman0]

This is getting old (been working this problem for a month). I modified the power users on every machine to inclulde "Domain Users" I have all regular users using this group, but with no success. I have looked through all of the GP stuff, but found nothing that says run service as admin. If anyone has any idea how i could make this program work (Alpine view) under a non-administrator group/user, this would be helpfull.

Thanks in advance..
James

 

[snootalope]

I was just thinking.. Why not make Domain Users local admins? As long as they arn't powerful on the domain.. they should definitly be able to install everything locally. I looked through our GPO and didn't see anything, but I swear there is something somewhere to allow certain apps to run. Most users don't know how to be destructive, even if they had to!

I'm thinking this is what I'm going to do here, all the machines here are the same and we got a good image and a gigabit network so I'll take the chance of a user destroying something..
Good luck! "tis better to be thought of as a fool then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[devilman0]

yeah, i think i'll have to do the same, (Domain users with admin rights, but shares applied to domain admins). I was worried because we have a computer outside (cnc saw) that is on the network, it is win98 compter, so security = nill. i have the computer pretty much locked down with legacy policies, but (as there always is), i know win98 isn't secure, and my company doesn't want to shell out money for software that would lockdown the computer completly (fortress, clean slate are examples), however, they want their files kept secure.

Thanks for all of your help snootalope.

 

[devilman0]

Here is another problem, semi-related to the above:
I have assigned the group to the administrator group (name of the group in which users are assigned is called Design, they are a member of the administrator.builtin group) It works on 2k pro, however, xp pro is being a pain, and won't allow this to be an anmin. any thoughts?

 

[MisterNiceGuy]

Here is a copy of a script I use in our domain. All you need to do is add is as a script for your computers under the computer policy and pass it the parameters as defined in the help section. Don't forget to create the domain local group and an associated domain global group to put in it. Then populated the domain global group with the users. I have another script that can tie a user to a computer, but it requires naming standards, which are often lacking.

'Beginning of Script
' APUTLPUG This program adds any groups that are passed to it as parameters to the local Power Users Group
' APUTLPUG is an acronym for Add Power Users to Local Power Users Group
' Run APUTLPUG.vbs /? for more information

'______________________________________________________________________________________________
'______________________________________________________________________________________________


'Initialize variables
Dim I,J
set shell = CreateObject("Wscript.Shell&quot
Set net=WScript.CreateObject("WScript.Network&quot
local = net.ComputerName
CRLF=(Chr(13) & Chr(10))


If Wscript.arguments.count=0 then
Dim Errvar
msg1="This script will not run without a command line argument!" & crlf
msg2=crlf & "Run APUTLPUG.vbs /? for more information." & crlf
msg= msg1 & msg2
Errvar= MsgBox (msg,48, "APUTLPUG Error! No command line argument!&quot
Wscript.quit
end if



'Get the command line arguments
Argcount=Wscript.arguments.count - 1
For i = 0 To Argcount

ReDim Preserve AdminGroup(i)

If Wscript.arguments.item(i)="/?" then

Help()

else

AdminGroup(i) = Wscript.arguments.Item(i)

End If

Next



Set group = GetObject("WinNT://" & local & "/Power Users&quot'Get access to the local security group

For j = 0 To Argcount

On Error Resume Next

group.Add "WinNT://" & AdminGroup(j) 'Add Domain Security Group to the local Security group

Next

'End of main code

'_________________________________________________________________________________________________________________________
'All subroutines are placed after this point!
'_________________________________________________________________________________________________________________________


'This subroutine displays a help message when /? is passed to the script
sub help
msg1="This script was written by Mr. Nice Guy" & crlf
msg2=crlf & "This script will not run without a command line parameter" & crlf
msg3=crlf & "Pass the Domain group that should be added to the local Power Users group as a parameter." & crlf
msg4=crlf & "The syntax is APUTLPUG.vbs Domain/Group." & crlf
msg5=crlf & "Quotes must be added if there are any spaces" & crlf
msg6=crlf & "The following example would add the Domain Local group DL Workstation Power Users from the Test domain to the local Power Users group" &crlf
msg7=crlf & "Example: APUTLPUG.vbs ''Test/DL Workstation Power Users'' " & crlf
msg=msg1 & msg2 & msg3 & msg4 & msg5 & msg6 & msg7
MsgBox msg ,vbInformation, "APUTLPUG Help!"
wscript.quit
end sub

'End of Script

 

[devilman0]

Didn't try the script, but look like it would work for someone else... I fixed the problem. It turns out that on my 2k machines the security tab for the local drive had every check box checked for everyone, but on xp, default is that all of the check boxes under everyone are unchecked, after i checked "Full Control" the program started to work as it should. This also kept my network shares secure and kept me from having to re-do all of the premissions on the shares.
Thanks for all who helped