ConfigurationRules for LocalGroups on Windows 2000 client computers

Ŗ Back†† www.TryWare.Dk

Frequently Asked Questions:



How do I uninstall Your program?


Run W2kLocalPassword.exe and find the LocalAdministratorís passwords on all Your W2k-client computers. Hide the passwords in Your safety box, and consider if You want to change the passwords.

Run UnInstall.exe on Your own W2k-client computer and remove the W2kLocalGroupPolicy$-share on Your server.

Thereís nothing installed on Your W2k-client computers when W2kLocalGroupRights.exe runs.


How do You recommend setting up W2k-workstations?


1.      Consider to precede all LoginNames and ComputerNames with 2 or 3 equal characters defining which department they reside in. For each individual user, make identical LoginName and ComputerName.
It makes it easier to use our reports, because You can split the reports for each department.
If You havenít done this already, remember to use Microsoftís SysPrep-tool after You renames Your ComputerNames.

2.      Choose Yes to (1-LR) DomainUsers using ComputerNames in £íComputerí-DomainUserYes.txt for each computer. This is hard work, but must be done once and for all.

3.      Choose the button ConfigurationRules for Local Groups (used by loginscript), and choose Administrators. Then choose Yes to (5-LR) Every character in ComputerName identical with LoginName.

4.      Consider using (6-LR) Number of logins before earlier granted users are removed, if some of Your computers are used by several users. Thatís because inserting a user in the LocalAdministratorsGroup only works from the next login.


What do I do if there are different language-versions on my W2k-client computers?


As told on Productsheet, You canít use W2kLocalGroupPolicy on different language-versions.
But if You will have the trouble, You can fool the program:

1.      Install and run W2kLocalGroupPolicy.exe on computer ONE.
Input GroupNames according to language ONE.
Choose server ONE when asked for ConfigurationRules.
Make loginscript ONE, and set the corresponding users profile.

2.      Install and run W2kLocalGroupPolicy.exe on computer TWO.
Input GroupNames according to language TWO.
Choose server TWO when asked for ConfigurationRules.
Make loginscript TWO, and set the corresponding users profile.

As You can se, there is a problem, if users with language ONE logons to a computer with language TWO. If so, W2kLocalGroupRights.exe runs, but it makes an @ERROR-ComputerName-log file with ERROR 1024: Invalid GroupName (561)


What does W2kLocalGroupRights.exe actually do?

Every time Your user logins, it examines Your ConfigurationRules, and if the users matches Your rules, the DomainUser is added to the Local Administrators Group (or the other local groups if You configures it).

Then it ensures, that the Domain Administrators Group is inserted in the Local Administrators Group if itís missing, and only then it changes the Local Administrators password to a random password. (Use W2kLocalPassword.exe if You want it for a computer with network-problems).

Then it examines each other current members (users or groups) of the Local Administrators Group, and removes them if they donít match Your rules. But Domain Users remains in the group Local Administrators Group for the next X logins, if You have set (6-LR) Number of logins before earlier granted users are removed.

Then it makes the following log-files for each computer:

*.yes   Who is inserted to the local group

*.no    Who is removed from the local group

*.log    Current status for the group
*.last   X last logins, if You have set (6-LR)

Where should I install the files, when running Setup.exe?


You must install on Your own W2k-client computerís hard disc. You can use C:\TryWareDk\W2kLocalGroupPolicy, or another folder on Your hard disc, but donít choose to install on a servers drive.
When You run W2kLocalGroupPolicy.exe from Your own hard disc the first time, it copies the necessary files to the server.

If other IT-System administrators needs to install W2kLocalGroupPolicy.exe on their own hard disc, make sure, that they choose the same server, when running W2kLocalGroupPolicy.exe for the first time.



Why arenít Local Users automatically added or removed from the Local Group when using 2-LR and 2-NR?


Local User doesnít run LoginScript with W2kLocalGroupRights.exe


Using 2-LR makes it possible to manually add a Local User to the Local Group, without having it removed when a Domain User logins.

Using 2-NR makes it possible to automatically remove a Local User from the Local Group, but only when a Domain User logins.


Top of this site


:o) Your brain is like a parachute. It works best when it's open









w2k local admin group windows 2000 permissions


local admin group W2k: Your colleague's got total power of Your pc from his own computer on Your corporate Network: Read TryWareDk's Website - Microsoft Windows 2000 HTML Securityhole Member Local Administrators Group Hotfix Admin Admins Administrator Groups Members Security Office program programs software freeware shareware Outlook Distributionsliste Email Adressbook Adressebog Mandatberegning