Managing Users Accounts and Rights In A Domain
Last Updated: 28 Dec 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
In most business environments, it is a good practice to
provide most users with very limited logon accounts which
allow them to access only what is necessary to get their
work done successfully. This typically means that they
do not receive enough rights to install things on their
local systems or accidentally delete/alter drivers or
other critical system components.
Occasionally, however, you may have need to provide an
otherwise average domain user with full control on his
or her local machine. If done incorrectly, this user
will end up with a high level of rights within the
domain itself, and much grief will ensue.
The appropriate way to accomplish this goal is to take
the user's DOMAIN account, and place it in the local
Administrators group of the machine in question. The
machine may have a local logon account (which should
only be for emergency purposes), but this is not the
account that is being addressed.
EXAMPLE:
=======================================
• Domain Name ............ MYDOMAIN
• User's Workstation ..... COMPUTER01
• User's Name ............ Joe User
• User's Acct Name ....... JoeU
• Local Admin Group ...... COMPUTER01\Administrators
• Domain User Account .... MYDOMAIN\JoeU
To add Joe's domain account to the local Administrators
group on his machine (COMPUTER01), you can use any of the
following methods:
• GUI (NT4)
START -> RUN -> USRMGR
USER -> SELECT DOMAIN
Enter "COMPUTER01"
Double-Click on "Administrators" in the "Groups" Pane
Select "Add"
Type "MYDOMAIN\JOEU" into the appropriate edit box
• GUI (Windows 2000/XP)
Right Click on "My Computer"
Select "Manage"
Right Click on "Computer Management (Local)"
Select "Connect To Another Computer..."
Enter "COMPUTER01"
Expand "Local Users and Groups"
Expand "Groups"
Double-Click on "Administrators" in the Right-Hand Pane
Select "Add..."
Type "MYDOMAIN\JOEU" into the appropriate edit box
Press "Check Names"
• CLI (Ye Ol' Command Line Interface)
Logon to the console of COMPUTER01
START -> RUN -> CMD
NET LOCALGROUP Administrators MYDOMAIN\JoeU /ADD
=======================================
You'll notice that the CLI method is far simpler than
the GUI method, and also that there are some subtle
differences in the dialog box options between versions
of Windows.
For this to take effect, "Joe User" must logon *after*
the changes have been made. If necessary, the user
should logout and log back on again for these rights
to take effect.
WHITEPAPERS & TECH DOCUMENTS
• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.htm
• http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/37438/37438.html
• http://www.microsoft.com/windowsxp/home/using/productdoc/en/net_user.asp
• http://support.microsoft.com/?KBID=199878
• http://msdn.microsoft.com/library/periodic/period98/ewn0498.htm
• http://support.microsoft.com/?KBID=251394
• http://support.microsoft.com/?KBID=137978
• http://www.microsoft.com/windowsxp/home/using/productdoc/en/dsmod.asp
PERSONAL NOTES
• XP/2003 have new native commands that allow you to
query, add or modify various account information locally
or in Active Directory:
DSQUERY
DSADD
DSMOD
• The NET USER command supports a /RANDOM parameter which
will generate a random complex password. If you use the
paramater as /RANDOM:xx it will generate a password of
the length represented by XX.
• You can make command line changes remotely using
various tools from the Resource Kit, or from the
excellent http://www.sysinternals.com website.
