One way to do this is to add the well-known security principal NT AUTHORITY\INTERACTIVE to the local administrators group. This guarantees anyone who logs on will have Administrator privileges, but only on that machine and only while logged on locally. A combination of ADSI's LDAP & WinNT providers come in handy here for scripting this change across many machines in an Active Directory environment.
If you were to leverage the Automatic Updates Service (Windows 2000 SP3 or higher) on your Desktops, which runs as localsystem (by Default), and point your Desktops to either your own SUS implementation or Microsoft's Windows Update site, the patch installation proceeds (when scheduled) without the need to do anything with permissions for users. The installation is performed by the service. __________________ Todd Povilaitis LAN Administrator Huntington Hospital [EMAIL PROTECTED] Phone: (626) 397-3392 Fax: (626) 397-2901 -----Original Message----- From: Nigel Glasgow [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 07:27 To: [EMAIL PROTECTED] Subject: [ActiveDir] RE:Giving users temporary Local Admin rights for a period Is there anyway of giving users local admin rights for a specified period like the login time period to install Windows Updates/patches. We do not use any automated update services and our users only have Power user rights to their local system. Any suggestions. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
