Hi All

I had a problem whereby the teachers couldn't use their home internet on
their 'domain-linked' laptops because of the limited access that they get.

Didn't want to make them part of the domain admins groups so somebody
suggested that I add the domain users group (which they are part of) to the
laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
Admins.

Is this OK to do?

They seem to be able to get to the TCP/IP bit now, but what other 'doors'
have I opened to the blessed teachers by doing this?

Can they install/uninstall software now???

Thanks

Laphan

"Laphan" <admin@DontSpam.com> wrote in message
news:exPmZfqLIHA.4456@TK2MSFTNGP03.phx.gbl...
> Hi All
>
> I had a problem whereby the teachers couldn't use their home internet on
> their 'domain-linked' laptops because of the limited access that they get.
>
> Didn't want to make them part of the domain admins groups so somebody
> suggested that I add the domain users group (which they are part of) to
> the
> laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> Admins.
>
> Is this OK to do?
>
> They seem to be able to get to the TCP/IP bit now, but what other 'doors'
> have I opened to the blessed teachers by doing this?
>
> Can they install/uninstall software now???
>
> Thanks
>
> Laphan
>

They will be able to install/modify/uninstall anything on their
PCs and they have full access to all files and folders. They
have no general access to server-based files but you should
test this to be on the safe side.

With XP there is almost no other way to allow users to use their computer
for normal use. With Vista this will change somewhat with UAC as programs
are updated to be Vista compatible.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vista.ca


"Laphan" <admin@DontSpam.com> wrote in message
news:exPmZfqLIHA.4456@TK2MSFTNGP03.phx.gbl...
> Hi All
>
> I had a problem whereby the teachers couldn't use their home internet on
> their 'domain-linked' laptops because of the limited access that they get.
>
> Didn't want to make them part of the domain admins groups so somebody
> suggested that I add the domain users group (which they are part of) to
> the
> laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> Admins.
>
> Is this OK to do?
>
> They seem to be able to get to the TCP/IP bit now, but what other 'doors'
> have I opened to the blessed teachers by doing this?
>
> Can they install/uninstall software now???
>
> Thanks
>
> Laphan
>
>

Howdie!

Laphan schrieb:
> Didn't want to make them part of the domain admins groups so somebody
> suggested that I add the domain users group (which they are part of) to the
> laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> Admins.
>

Don't make them admins. That's way too much. If those laptops are on
Windows XP, you can use the "Network Operators" group to let them change
IP and network configuration.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

Hi

Tried that and it wouldn't work.

As soon as they got the network components list, ie Client for Networks,
TCP/IP, etc, they couldn't click into the TCP/IP entry to go and edit it.

Although I'm saying that I made them network operators via Active Directory
control panel on the server!

Should I have made the teachers network operators on the Local Admin setup
of the laptop?

Thanks

Laphan

"Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote
in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl...
Howdie!

Laphan schrieb:
> Didn't want to make them part of the domain admins groups so somebody
> suggested that I add the domain users group (which they are part of) to
> the
> laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> Admins.
>

Don't make them admins. That's way too much. If those laptops are on
Windows XP, you can use the "Network Operators" group to let them change
IP and network configuration.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

Howdie!

Laphan schrieb:
> Although I'm saying that I made them network operators via Active Directory
> control panel on the server!
>
> Should I have made the teachers network operators on the Local Admin setup
> of the laptop?

Of course you need to make those changes on the client computers. Have a
look at "Restricted Groups":

http://technet2.microsoft.com/window....mspx?mfr=true
http://www.frickelsoft.net/blog/?p=13

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> Laphan schrieb:
> > Although I'm saying that I made them network operators via Active Directory
> > control panel on the server!
> >
> > Should I have made the teachers network operators on the Local Admin setup
> > of the laptop?
>
> Of course you need to make those changes on the client computers. Have a
> look at "Restricted Groups":
>
> http://technet2.microsoft.com/window....mspx?mfr=true
> http://www.frickelsoft.net/blog/?p=13
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
>

Assuming you are using cached credentials.

It is recommended to create a new security group in AD and add that group to
the local groups (using 'Restricted Groups'), rather then adding the user
account directly to the local groups.
Then use ADU&C to controll the members of the new AD group, by adding or
deleting users to this group.
once the AD group is added to the specific local group, Users just have to
logof and logon at office, after you added them to the group in AD.

Go through this thread about 'Restricted groups'
http://www.petri.co.il/forums/showthread.php?t=12489

Alternatively you can controll the members of local groups by script:
http://windows.stanford.edu/Public/I...p.html#Scripts
In this case you add the new AD security goup to the local groups by
computer startup script, instead of using the 'Restricted Groups'-computer
configuration policy.

If the users do not use cached credentials, then use the local account the
users use to logon at home (or use a startupup script to add a new local user
account to the computers). Then add that account to the group, you can do
that also by using Restricted Groups.


\Rems

"Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote
in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Laphan schrieb:
>> Didn't want to make them part of the domain admins groups so somebody
>> suggested that I add the domain users group (which they are part of) to
>> the laptop's local admins (ie via Computer Management / Users&Groups/
>> Groups/ Admins.
>>
>
> Don't make them admins. That's way too much. If those laptops are on
> Windows XP, you can use the "Network Operators" group to let them change
> IP and network configuration.

And don't add a generic AD group like "Domain Users" to *any* group with
privileges on a workstation. This is why "\RemS" recommended you create a
new AD group for the purpose - so that it can be managed.

/Al

> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.

hey laphan
have you tried settings TCP/IP alternate configuration for them to use at home
what exactly is that they want to do at home and they cant? changing their
tcp/ip configuration ?

"Laphan" wrote:

> Hi
>
> Tried that and it wouldn't work.
>
> As soon as they got the network components list, ie Client for Networks,
> TCP/IP, etc, they couldn't click into the TCP/IP entry to go and edit it.
>
> Although I'm saying that I made them network operators via Active Directory
> control panel on the server!
>
> Should I have made the teachers network operators on the Local Admin setup
> of the laptop?
>
> Thanks
>
> Laphan
>
> "Florian Frommherz [MVP]" <florian@PLEASELEAVETHISOUT.frickelsoft.net> wrote
> in message news:uRFrsKsLIHA.4688@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Laphan schrieb:
> > Didn't want to make them part of the domain admins groups so somebody
> > suggested that I add the domain users group (which they are part of) to
> > the
> > laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> > Admins.
> >
>
> Don't make them admins. That's way too much. If those laptops are on
> Windows XP, you can use the "Network Operators" group to let them change
> IP and network configuration.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
>
>
>

Adding your "Domain Users" group to all the local admin groups on your
systems is asking for trouble. Think about it ... if a virus executes as
a user on one system, that virus will automatically have full rights to
remotely install itself on everyone's system. At **LEAST** just add
individual users to the admin group, if you're going to do it at all,
but I would put some effort into investigating how to get around the
admin rights problem altogether.

Aaron Margosis has some excellent blog entries about working around LUA
bugs.

----------------
Trevor Sullivan
Systems Engineer

Laphan wrote:
> Hi All
>
> I had a problem whereby the teachers couldn't use their home internet on
> their 'domain-linked' laptops because of the limited access that they get.
>
> Didn't want to make them part of the domain admins groups so somebody
> suggested that I add the domain users group (which they are part of) to the
> laptop's local admins (ie via Computer Management / Users&Groups/ Groups/
> Admins.
>
> Is this OK to do?
>
> They seem to be able to get to the TCP/IP bit now, but what other 'doors'
> have I opened to the blessed teachers by doing this?
>
> Can they install/uninstall software now???
>
> Thanks
>
> Laphan
>
>