Re: administrative privileage Q.
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/14/05
- Next message: XxLicherxX: "Re: Send alert when new account is created?"
- Previous message: Steven L Umbach: "Re: Error enrolling machine certs"
- In reply to: David: "Re: administrative privileage Q."
- Next in thread: David: "Re: administrative privileage Q."
- Reply: David: "Re: administrative privileage Q."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 11:32:57 -0500
You could use Group Policy Restricted Groups at the Organizational Unit
Level. Assuming you are using at least W2K SP4 you could create an OU and
place the computers in the OU where you want him to be a local admin. Then
configure Restricted Groups and use "member of" for administrators group.
Create a domain global group, add the user to that group, and add it to the
"member of" for administrators. Otherwise you could use a Group Policy
"startup" script for those computers using the command [ net localgroup
administrators "mydomain\user" /add ] to add that user to the local
administrators group on those computers. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://support.microsoft.com/default.aspx?kbid=810076
http://support.microsoft.com/default.aspx?scid=kb;en-us;198642
"David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
news:%23s4vpvQQFHA.1472@TK2MSFTNGP10.phx.gbl...
> Is there a way to make them local administrators w/o having to go around
> and
> manually add the account to each machine?
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:OC$yZ8HQFHA.1340@TK2MSFTNGP10.phx.gbl...
>> You can add any domain account to the local administrators group on any
>> domain computer other than domain controllers which will give the user
>> admin powers on just that computer where you add them to the local
>> administrators group. There is no way to do such on domain controllers.
>> About the best you can do in that case if give the user additional user
>> rights and add them to privileged groups such as server operator which
>> still will not allow them to install most software on a domain
>> controller. You can also use Group Policy to assign .msi applications to
>> a computer/user or publish an application for a user. Assigned/published
>> applications will be automatically installed if assigned to a computer or
>> can be installed by a user even if they do not have admin powers. ---
>> Steve
>>
>>
>> "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
>> news:uttThFHQFHA.3384@TK2MSFTNGP10.phx.gbl...
>>> How would I go about granting someone local machine (workstations)
>>> administrator privileages without making them a domain admin which would
>>> then grant them full access to the servers?
>>>
>>> I saw in group policy there is a setting where you can allow a
>>> user/group to install device drivers. I did not see any such setting
>>> that would allow them to install applications to the desktop.
>>>
>>> thanks.
>>>
>>> - David
>>>
>>
>>
>
>
- Next message: XxLicherxX: "Re: Send alert when new account is created?"
- Previous message: Steven L Umbach: "Re: Error enrolling machine certs"
- In reply to: David: "Re: administrative privileage Q."
- Next in thread: David: "Re: administrative privileage Q."
- Reply: David: "Re: administrative privileage Q."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
