I have a 2000 Active Directory server. I want to set up a group that I can join Lab managers to that will give them Administrative rights over the machine they log into, as long as the computer is in the right OU.
I tried adding a group to one OU, and under the security tab give that group full control, but that didn't work.
I want to AVOID having to go to each machine and adding the Local Admin account there.
I looked at delegating control, but the options there are not what I want either. I need these lab managers to be able to add software, delete things, do some troubleshooting, etc, but I don't want to give them Domain Admin access. ( I want to restrict them to just a few labs).