Re: Allow lab manager admin rights to group of computers

From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Sep 2007 22:08:26 -0400

JonR <jonr451@xxxxxxxxxxx> wrote:

I have a computer savvy educator who manages his own lab of
computers. These are on a W2k3 AD domain. All machines run Windows
XP. I want to find the most efficient way to delegate administrator
rights on these computers (and only these computers). The computers
are already in an OU.
Sorry if this sounds like a bonehead question... I've just never had
to implement it.
Thanks for your time and suggestions.
Jon

Here's my boilerplate on "How do I give a domain user local admin rights?"
.....you can tweak this to apply only to this OU, or use an additional AD
group called "Lab Computer Admins" that does, etc etc etc.

Always use AD security groups and not individual user accounts, when
assiging permissions....

--------------------------------------

Here's what I do:

Set up AD groups called LocalAdmin, LocalPowerUser, RDUser (for Remote
Desktop access)

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDaccess /add
.........

When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself
....then remove them from the domain LocalAdmin group on the domain when
done.

You can create/link a new GPO at the appropriate OU where your computers
live

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

.

Prev by Date: GINA for Smart Card logon
Next by Date: Re: GINA for Smart Card logon
Previous by thread: GINA for Smart Card logon
Next by thread: Setting some access rights on a multi-boot system
Index(es):
- Date
- Thread

Relevant Pages

Help with 070-217
... The network contains 25,000 computers. ... single Windows 2000 domain named research.contoso.com. ... Server computers that are configured as domain controllers. ...
(microsoft.public.cert.exam.mcse)
Re: Help with 070-217
... The network contains 25,000 computers. ... > single Windows 2000 domain named research.contoso.com. ... > Server computers that are configured as domain controllers. ...
(microsoft.public.cert.exam.mcse)
RE: Help with 070-217
... The network contains 25,000 computers. ... > single Windows 2000 domain named research.contoso.com. ... > Server computers that are configured as domain controllers. ...
(microsoft.public.cert.exam.mcse)
Re: upgrading frm XP Home to Pro
... Why do you think you need Windows XP Professional? ... won't and we need to upgrade all the computers to Pro. ... You bought a server to 'network your computers' and so you can ... software) would give you the same abilities as 'Remote Desktop' ...
(microsoft.public.windowsxp.general)
Re: In the Shallow End
... Yes, with Apple finally getting in there, technology is finally moving along nicely again. ... What they like to do is use the Windows desktop as data gathering frontends to these operations. ... They had other plans for Java, ... They make computers for the elite. ...
(comp.sys.mac.advocacy)