1

For the first time, I'm able to add new Windows workstations to my domain. [For years we had a "standalone" 2k server, not a DC, and all our workstations were Windows Home] Now I have some new Windows 7 Pro workstations I would like to join to the domain. When I do, the only login that can resolve UAC challendges when installing software on the new workstations is "Administrator" for the server. From one of the items in "Related Questions", I found only "Administrator" works because my other administrator logins are for the server, not the domain.

I need users to have complete local control and the ability to install their own software. I create "admin" accounts on the local machine but of course they do not override the permissions in Active Directory. I've read a great deal about "Restricted Groups" and the Group Policy Object Editor and creating a localAdmin group, but my domain's Policy Object tree looks nothing like the examples I've seen. Is there an easier way? Can I do something with the user access permissions for each workstation under myDomain\Computers? If not, where can I find a primer on constructing the proper policies and permissions from scratch? Thanks

1 Answers1

1

You're mixing two issues here: local administrator privileges and Windows 7's User Account Control.

Gaining local administrator rights can be accomplished in many ways: being domain administrators, adding users/groups to the local Administrators group on workstations (either manually or via machine startup scripts), or using the "restricted groups" GPO settings.

Yet, even being local administrators could be not enough: UAC exists exactly for that, keeping users safe from their own mistakes by not giving them full local administrative rights even if they do rightfully own them, thus forcing them to explicitly state if/when they want to perform an action with full administrative privileges.

UAC has also the ability of spotting those situations where the user would need administrative rights, but s/he doesn't have them; in those cases, it can (if so configured) automatically prompt the user for logon credentials for another user accounts which may have more rights than the one they're currently using.

If a user doesn't have administrative rights and tries to do some task which requires them, UAC will prompt for another logon.

If a user actually has proper rights but UAC is active (which is its default setting), it will ask the user for confirmation; to bypass this, you can right-click on the program you want to run and select the "run as administrator" option.

If you wish so, you can fine-tune (or even disable) UAC, either in a system's Control Panel, or via group policies (if you have Windows Server 2008 R2 domain controllers, or have imported the latest group policy administrative templates in a previous version domain).

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Can you walk me through it? I set up each workstation with two local Administrator accounts, one for the user and one for me. Both still show up as admins in Control_Panel->User_Accounts. On the ADDC, I opened Group Policy Management and created a new Group Policy object under my domain (LocalAdminGP). I edited LocalAdminGp, and browsed to Computer_Configuration->Windows_Settings->Security_Settings->Restricted_Groups I added each group with users who need local control and made each member of Administrators (my understanding this is LOCAL admins, not domain) What did I do wrong? –  Jul 26 '10 at 22:14
  • You should create **domain** accounts in AD, and then add *them* to the local Administrators group on all machines, either manually or via Group Policies; also, beware that "restricted groups" **really** means "restricted": once you configure that policy in AD, it will not only *add* users to local groups, but it will also *remove* each user (be it local or domain) which doesn't fit; if you misconfigure it, it's easy to remove **all** local administrators from a machine, which will totally lock you out of it. – Massimo Jul 27 '10 at 05:34