Re: desktop level support

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/26/05 

Date: Fri, 25 Feb 2005 23:13:41 -0600

You can delegate any domain user the right to add workstations to the
domain. If you select the domain and right click you will see the option to
delegate. You can also do this at the OU level where the user will need the
permissions to create computer objects. You can also add his domain account
to the local administrators group on domain computers that you want him to
have administrator powers. That can be done via a Group Policy startup
script with the net localgroup command or the use of Restricted Groups at
the Organizational Unit [NOT domain or you will add to administrators group
for the domain!!] level. Assuming your computers are SP4 you can user
Restricted Groups with the "member of" option. You could then create a
domain global group and make it a "member of" administrators. Then add the
domain users you want to that group to be administrators of domain
computers. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
 --- Restricted Groups
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx -
-- delgation.

"David" <David@discussions.microsoft.com> wrote in message
news:000021BB-2B0B-43F2-8CFF-0ED67DB0C43C@microsoft.com...
> hi!
>
> We're expecting a IT Tech to join us soon. He'll only be doing
> desktop/client OS support. My question is what is the best access-right
> that
> i can give, so that he can carried out his support task, without giving
> him
> full administrative right(especially to the servers)? He'll probably need
> to
> join domain for the clients, install Norton corporate edition(managed),
> and
> client level administrative right of course.
>
> Any idea, what's the best option? Thks!
>

Relevant Pages

  • Re: Remote Desktop Users and Least User Rights
    ... the Administrators group, the list of authorized remote users (My Computer ... Remote tab> Select Remote Users) gets wiped out. ... or you could create a simple startup script assigned via GPO to add them. ... You can create/link a new GPO at the appropriate OU where your computers ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to connect to remote performance counters
    ... logon domain user to the local administrators group on your remote machine. ... I have two computers which are in the same domain. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.win32.programmer.networks)
  • IE Hangs for non-Admin users
    ... 5000+ Windows XP Service Pack 1 desktops. ... Our Helpdesk reports that by far the biggest call they are getting is to do ... - The problem does not happen on all computers and can't easily be replicated ... - The problem does not occur with users in the Administrators group ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: User type
    ... This does help Mike - thanks ... > If the computer is member of domain then you should use domain user ... > After you have this account and group created you can write a short script ... > administrator and make your users local administrators. ...
    (microsoft.public.windows.server.setup)
  • Re: Rights Issues (i think) with domain pcs
    ... Quickbooks is the same and requires admin privileges on the local ... eh admin group on the local computers. ... I inherited this network also other wise i would have set up ... >> You probably know that a member of the domain administrators grp by ...
    (microsoft.public.windows.server.general)