How Can We Help?

Managing Users Accounts and Rights In A Domain

You are here:
< Back
Managing Users Accounts and Rights In A Domain
Last Updated: 28 Dec 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


In most business environments, it is a good practice to
provide most users with very limited logon accounts which
allow them to access only what is necessary to get their
work done successfully.  This typically means that they
do not receive enough rights to install things on their
local systems or accidentally delete/alter drivers or
other critical system components.

Occasionally, however, you may have need to provide an
otherwise average domain user with full control on his
or her local machine.  If done incorrectly, this user
will end up with a high level of rights within the
domain itself, and much grief will ensue.

The appropriate way to accomplish this goal is to take
the user's DOMAIN account, and place it in the local
Administrators group of the machine in question. The
machine may have a local logon account (which should
only be for emergency purposes), but this is not the
account that is being addressed.


EXAMPLE:

=======================================
• Domain Name ............ MYDOMAIN
• User's Workstation ..... COMPUTER01
• User's Name ............ Joe User
• User's Acct Name ....... JoeU

• Local Admin Group ...... COMPUTER01\Administrators
• Domain User Account .... MYDOMAIN\JoeU


To add Joe's domain account to the local Administrators
group on his machine (COMPUTER01), you can use any of the
following methods:


• GUI (NT4)
	START -> RUN -> USRMGR
	USER -> SELECT DOMAIN
	Enter "COMPUTER01"
	Double-Click on "Administrators" in the "Groups" Pane
	Select "Add"
	Type "MYDOMAIN\JOEU" into the appropriate edit box


• GUI (Windows 2000/XP)
	Right Click on "My Computer"
	Select "Manage"
	Right Click on "Computer Management (Local)"
	Select "Connect To Another Computer..."
	Enter "COMPUTER01"
	Expand "Local Users and Groups"
	Expand "Groups"
	Double-Click on "Administrators" in the Right-Hand Pane
	Select "Add..."
	Type "MYDOMAIN\JOEU" into the appropriate edit box
	Press "Check Names"


• CLI (Ye Ol' Command Line Interface)
	Logon to the console of COMPUTER01
	START -> RUN -> CMD
	NET LOCALGROUP Administrators MYDOMAIN\JoeU /ADD
=======================================


You'll notice that the CLI method is far simpler than
the GUI method, and also that there are some subtle
differences in the dialog box options between versions
of Windows.


For this to take effect, "Joe User" must logon *after*
the changes have been made. If necessary, the user
should logout and log back on again for these rights
to take effect.


WHITEPAPERS & TECH DOCUMENTS

• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.htmhttp://www.winnetmag.com/WindowsSecurity/Article/ArticleID/37438/37438.htmlhttp://www.microsoft.com/windowsxp/home/using/productdoc/en/net_user.asphttp://support.microsoft.com/?KBID=199878http://msdn.microsoft.com/library/periodic/period98/ewn0498.htmhttp://support.microsoft.com/?KBID=251394http://support.microsoft.com/?KBID=137978http://www.microsoft.com/windowsxp/home/using/productdoc/en/dsmod.asp


PERSONAL NOTES

• XP/2003 have new native commands that allow you to
  query, add or modify various account information locally
  or in Active Directory:
  	DSQUERY
  	DSADD
  	DSMOD

• The NET USER command supports a /RANDOM parameter which
  will generate a random complex password. If you use the
  paramater as /RANDOM:xx it will generate a password of
  the length represented by XX.

• You can make command line changes remotely using
  various tools from the Resource Kit, or from the
  excellent http://www.sysinternals.com website.