Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Local Computer permissions in AD/Domain


  • Please log in to reply
18 replies to this topic

#1 bjamrok

bjamrok

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 01:16 PM

Here is the scenario. I have roughly 20 computers joined to a domain on a Windows 2003 R2 server running active directory. All computers other than the server are running XP pro. On 6 of the XP computers I have a special piece of software ex: ABC software. On those 6 computers the local user needs administrative privileges on 2 folders and a handful of registry keys. Can I make a group or group policy to allow administrative access to the required folders and registry keys on just those 6 machines. The folders and keys are identical on all machines. Right now the only two options I see are to go to each computer and add the permissions to each folder and key to the correct domain group, or run users as local machine administrators. Neither of these are desired solutions. Any help would be appreciated.

Brian
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 11 July 2011 - 01:45 PM

Why not just add those users to the local administrator group on the computers in question?

#3 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 01:49 PM

That is actually the current configuration. We have problems with that from users adding / removing software. One user installed 3 antivirus programs side by side. Many of the machines end up with 4-8 toolbars in the web browsers. We'd like to lock down the workstations to maintain usability. Plus our share of malware issues increased after the admin privileges were given out of necessity for the software.
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#4 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 01:50 PM

I guess what I'm really looking for is to apply local file / registry permissions using a wildcard for the local machine. Not sure if that is possible.
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 11 July 2011 - 01:54 PM

You can limit what they can install I think via GPO's.

What directories do they need access too?

#6 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 02:02 PM

Unfortunately due to policy I have to be generic here, but the software package in question needs full control on 2 directories Ex: C:\program files\dir1 and C:\program files\dir2 and 2 registry folders hkey local machine\software\program1 and hkey local machine\software\program2. I know that I can make a domain user group for this software, and add my users to it but I have to go to each machine with the software and change each of these folders or keys individually. I'd like to just make a group and somehow say that this group has permissions on *wildcardcomputername*\c:\program files\dir1 etc.
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 11 July 2011 - 02:14 PM

Well this is what I would install the software into another directory on the drive and only give them access to that folder.

#8 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 02:24 PM

I think perhaps I'm confusing you. I have the ability right now to go into both directories and registry keys and give permissions to the users/groups that I want to. The problem is that I have to go to computer 1 and add these permissions, then go to several other buildings to add the permissions to computers 2,3,4,5,and 6. I would like to either export the permissions from computer 1 and apply them via the domain to the other computers, or create some kind of GP or security policy that allows permissions to be applied to computers 1-6. This also ensures me that all 6 computers will have the exact same permissions for our software. The problem is that I don't see any way to apply permissions from the Domain Controller to the member computers local file systems. I can only give a group permissions to a server directory. The software has to be installed on each local computer. Does that make more sense?
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 11 July 2011 - 02:37 PM

No you are not confusing me, you should not be granting them any admin rights to program files. You should install the applications in another directory called c:\needadminrights.

You can then only grant them local admin rights to that directory. And denying them elsewhere.

#10 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 11 July 2011 - 02:52 PM

Ok,

If I install the software in a directory on each computer called needadminrights, how can I tell the domain to give a user or user group access to c:\needadminrights\ on all 6 computers without going to each computer and adding the users to the needadminrights directory?
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 11 July 2011 - 08:01 PM

You can add them to a group on the AD to give them read/write access to that directory.

#12 Baltboy

Baltboy

    Bleepin' Flame Head


  • BC Advisor
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:12:36 AM

Posted 12 July 2011 - 10:13 AM

You will have to create the group on AD first. Then when you install the program to the designated folder (or just use the existing folders for that matter) you will have to set the folder(s) NTFS permissions to give the newly created AD group the proper level of (modify should be more than enough) rights. The same goes for the registry keys. You should be able to perform everything you need from the domain controller. RDP to the desktop and change the needed permissions on the folders and registry entries. Everything else will exist in AD on the domain controller. You can even push the software install from the DC if you wanted to.

Edited by Baltboy, 12 July 2011 - 10:14 AM.

Get your facts first, then you can distort them as you please.
Mark Twain

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 12 July 2011 - 10:15 AM

Thank you Baltboy for your assistance. My AD Skills and knowledge are extremely novice level.

#14 bjamrok

bjamrok
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:11:36 PM

Posted 12 July 2011 - 07:28 PM

Gentlemen,

I thank you for your assistance, I don't mean to sound unappreciative, but the core of my question is still unanswered. I do appreciate the point of using the RDP to access each machine from the Domain Controller so that I don't need to be physically at each machine. I'm perfectly familiar with applying the privileges in this manner using the domain groups. However, I still have to perform this configuration 6 different times via RDP? What I was really looking for is a way to say look all 6 computers have ABC software installed in c:\needadminrights\ or whatever. I was seeking if the domain offers the ability to just wildcard the computer name and issue permissions for any computer on the domain to have read/write/modify on the directory c:\needadminrights. I'm kind of thinking how windows logon scripts use wildcards like %localmachine%. Can I issue a command that grants a domain user group read/write/modify access to the c:\needadminrights directory of any domain computer. This way as we add the software to other computers, no additional permissions changes are required.

Thanks for all the time you've both put in.

Brian
Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

http://jamroktech.blogspot.com

#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:36 AM

Posted 12 July 2011 - 07:34 PM

you can deploy it from the domain controller via WSUS I imagine and have it setup with the right permissions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users