Solved Domain Admin vs Local Admin

[tachi91]

I've reach a wall...
When a Network User is logged On they get prompted for Admin rights when they try to install something or change a setting... I'd rather them enter the Local Admin account on Windows 7 then giving them a Network Admin info since all the private files associated with that network admin would be available to them... But every prompt is asking for DOMAIN admin

How can I temporally switch the Admin Prompt from DOMAIN to LOCAL?

 

[logicearth]

Why should users have admin credentials in the first place? Why are you letting them install applications? Or change settings? Your setup makes no sense what so ever.

 

[tachi91]

For example Java Updates or Adobe Updates etc.. To keep things stable its good to be updated.. SO it they have Domain Admin rights its makes it suspicious that they can go around to other computers and do things but if I keep them with standard rights but tell them how to install things as the default Admin profile it reduces the chances of things getting around since each computers Admin has a different Password.. But I figured it out

Heres a simple way to explain my setup

A new guy comes in.. He is given a Network wide Account with basic privileges.. SO technically he can go to any random computer and Login but cant make system wide changes.

But to his assigned computer he has access to the Administrator Account which has a different password then all the others.. So if he decides to install programs it would ask for an Admin account.. which he can put the local info and only have it limited to his

 

[logicearth]

Oh boy...you are just asking for a lot of trouble down the road. Any form of updates should be handled by the IT department in a uniform way, not haphazardly by users. That make work in a small start up company with just a few people but in the long run it is a very bad practice. When you no longer can control the machines it becomes an IT nightmare.

 

[tachi91]

True.. In the situation I'm in now some people prefer difference web browsers or they need to install a Program to try out.. At the moment its better to give them the password for their admin account then having to walk around installing different software for difference people.. Without risking security for the entire Network

 

[richnrockville]

I've reach a wall...
When a Network User is logged On they get prompted for Admin rights when they try to install something or change a setting... I'd rather them enter the Local Admin account on Windows 7 then giving them a Network Admin info since all the private files associated with that network admin would be available to them... But every prompt is asking for DOMAIN admin

How can I temporally switch the Admin Prompt from DOMAIN to LOCAL?

FWIW: A suggestion, if they are logged onto the domain, no to giving them domain admins. But if you have them log onto their local machines, not the network. then they can log on as administrator and they have the password. When they log off, they can then log back onto the domain and they are now a regular user, not an admin. But the programs or updates that they ran when they were not connected to the network domain, are still available to them once they log off and back onto the domain.

Was that clear?

rich

 

[tachi91]

I've reach a wall...
When a Network User is logged On they get prompted for Admin rights when they try to install something or change a setting... I'd rather them enter the Local Admin account on Windows 7 then giving them a Network Admin info since all the private files associated with that network admin would be available to them... But every prompt is asking for DOMAIN admin

How can I temporally switch the Admin Prompt from DOMAIN to LOCAL?

FWIW: A suggestion, if they are logged onto the domain, no to giving them domain admins. But if you have them log onto their local machines, not the network. then they can log on as administrator and they have the password. When they log off, they can then log back onto the domain and they are now a regular user, not an admin. But the programs or updates that they ran when they were not connected to the network domain, are still available to them once they log off and back onto the domain.

Was that clear?

rich

That what I was going for.. But the problem that I did face was that when they were logged in as themselves any Admin Prompt would only allow Domain Accounts to be entered not Local... I Did figure it out by simply putting in the "username" the computers name example "RM-STAFF10\Administrator" then the prompt would change the DOMAIN to local and allow them to work in the program or setting as an admin.. Since the internet access is avaible only when signed in as a Domain account.. The local Admin account has no access to the outside web

 

[Barman58]

Will just add my 2 cents to the good advice from the pros above - "Start as you mean to go on"

Although the practices you have outlined may work in the smaller network, you are making a rod for your own back, for the future,

By all means listen to the user preferences as to the software they prefer, evaluate the options, then make a decision based on what is best for the organisation as a whole, and go with that one. A system Administrators life is hard enough as it is, without having to support multiple tools for the same job.

Have a look at system management software for the roll out of applications, updates and patches and only comence roll out once you are happy you can support the software concerned

Spiceworks is a completely free option for basic management and Desktop Central is free for smaller systems and can handle all your updates and system changes. One or both of these will give you a good grounding in running a system that is reliable and manageable as it grows

Edit

If you decide that you wish to proceed along the lines you outline, This is your system after all you should be able to use restricted groups to add users as local admins and domain users - some examples are shown here which may give you a start point

http://myitforum.com/cs2/blogs/rdix...-to-local-administrators-group-using-gpo.aspx

hope it helps