RE: [ActiveDir] Making a user a Domain Administrator
You can use Restricted Groups in a Policy to do this. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
I'd suggest using Restricted Groups through group policy. If you go on the MS site you will get a ton of explanations and examples. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Making a user a Domain Administrator
If your users have local admin rights on their machine, be very careful with restricted groups. Use a logon script instead. Dennis On Mon, 13 Dec 2004 11:26:50 +0100, Jimmy [EMAIL PROTECTED] wrote: You can use Restricted Groups in a Policy to do this. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Bradley Schutter/Hill Holliday Advertising Inc./US received by: at: 12/13/2004 09:20:37 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Bradley Schutter/Hill Holliday Advertising Inc./US received by: at: 12/13/2004 09:20:39 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
The following fragment in the machine startup script adds 3 domain groups to the local admins group; we then just add users to the domain groups and they will then be local admins as needed. It's a bit kludged - it ought to check for membership first rather than just try and add... Steve sDomain=domainname Set oNet=createobject(wscript.network) sComputer=oNet.computername sLocalGroup=administrators Set oComputer = GetObject(WinNT:// sComputer) Set oLocalGroup = oComputer.GetObject(Group, sLocalGroup) On error resume next oLocalGroup.Add (WinNT:// sDomain / informationguidance) oLocalGroup.Add (WinNT:// sDomain / workexp) oLocalGroup.Add (WinNT:// sDomain / SAS) On error goto 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
It depends. We had a long conversation on the use of restricted groups and the changes made in various SPs previously on this list. To summarize that conversation, with proper use of This group is a member of you will avoid the replacing of the contents. But you need to make sure you scope the GPOs properly. Please see the archives for this discussion unless someone wants to dig up the old note and post it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, December 13, 2004 11:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Making a user a Domain Administrator There is a danger to using restricted groups. It will replace the contents of the group with whatever you specify in the GPO. The only excpetion is the default local admin account. If you have a lot of users in the local admin, they will be removed when this gets applied. If you add a user to the local admin group, they will be removed based on your policy refresh cycle. Dave David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 13, 2004 06:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator 1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
You can set this up via group policy, but beware - unlike most GPO settings, setting the admin group membership is a permanent change, and will overwrite whatever the existing group membership is. TL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
As I mentioned earlier, it depends on how you do things. See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076 Also from the list archives look for the thread [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group from local admins... From March. I think there was another conversation previous to that as well but can't recall the details. Hey Tony, how about updating the ActiveDir Org GPO FAQ? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, December 13, 2004 1:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Making a user a Domain Administrator You can set this up via group policy, but beware - unlike most GPO settings, setting the admin group membership is a permanent change, and will overwrite whatever the existing group membership is. TL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
You can use the Restricted Groups settings in Group Policy to make particular users a member of the local administrators group without giving them any extra rights on the domain. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279301 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
If you would like to make a user ADMIN of all workstations you could one of the following: * Make that user a Domain Admin - very easy to achieve but I would NOT RECOMMEND this for security sake (to much for what that user eally needs) * I prefer the following: * Create a GLOBAL GROUP in the AD DOMAIN (something like: gsgADMonCLI) * Create a GPO and link that GPO (or use an existing GPO that's linked to the OU with the computer accounts) to the OU with computer accounts * Within that GPO use the Restricted Groups (Computer Configuration\Windows Settings\Security Settings\Restricted Groups) feature: Assign the group name YourDomain\gsgADMonCLI as a member of the group ADMINISTRATORS * make everyone that needs it (local admin on computers) a member of the group YourDomain\gsgADMonCLI * Wait until the computers have updated their GPO (reboot the computers, or force a refresh, or wait for about 90 min.) Regards, Jorge NOTE: This posting is provided AS IS with no warranties and with no rights! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: maandag 13 december 2004 11:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Making a user a Domain Administrator
Create a startup group. Place the following command in the startup script: Net Group Administrators GlobalGroupToAdd /add. This should work, but please test it first. Dennis On Mon, 13 Dec 2004 11:18:52 +0100, Oluwaseyi Owoeye [EMAIL PROTECTED] wrote: I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Lucia Washaya/UNAMSIL received by: at: 13/12/2004 13:35:53 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
Return Receipt Your RE: [ActiveDir] Making a user a Domain Administrator document : was Lucia Washaya/UNAMSIL received by: at: 13/12/2004 13:35:47 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Making a user a Domain Administrator
There is a danger to using restricted groups. It will replace the contents of the group with whatever you specify in the GPO. The only excpetion is the default local admin account. If you have a lot of users in the local admin, they will be removed when this gets applied. If you add a user to the local admin group, they will be removed based on your policy refresh cycle. Dave David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 13, 2004 06:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator 1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/