Solved

Delegating Control of Machines

Posted on 2004-10-08
6
192 Views
Last Modified: 2010-04-19
Greetings,

I am looking at ways in which I can allow certain users more control over their clients. I want to allow some staff members the ability to install software. The reason being that we get a lot of trial educational applications and it is time consuming to always have to install this under admin status and I simply don't have the man power in my department of one. I am not sure how to go about this and would also appreciate any comments, especially if anyone felt this would really be a stupid move to allow set groups this function. I have thought about all the potential "catastrophies" but to allow more control seems like a viable option to try. Failing that I could always try to grow more arms and extend the hours of natural daylight.

Is it a GPO over the machine OU's or restructuring the grouping?

Thanks
0
Comment
Question by:SeventhZen
  • 3
  • 3
6 Comments
 
LVL 15

Accepted Solution

by:
scampgb earned 500 total points
ID: 12257198
Hi SeventhZen,

Have you tried growing more arms?  It might be a bit quicker ;-)

It sounds like you need to make certain users members of the Local Administrators groups on a bunch of PCs.
This will allow those users complete access to the PCs.  

I'm assuming that the PCs you're talking about here are Win2000 Pro or WinXP Pro.

Firstly, create a security group of "PC Admins".  Put the people you want in this group.

What you need to do next will depend on how your OUs are arranged.  If you want to update permissions on all the PCs in (a) specific OU(s) then you can use Global Policy for doing it.

If it's not that clearly defined, you can update it manually from your PC (assuming you're logged in as an admin that has rights over the remote ones!):
Right-click My Computer, Manage
Action > Connect to another computer
Choose the PC you want to update
(getting hazy now as I've not got one of these in front of me...)
Go into local users & groups
Groups
Open the "Administrators" group.  Add your Domain "PC Admins" security group as a member of this group.

Job done :-)


Using GPO, you've got two options - login script or Restricted Groups.
Restricted Groups will overwrite the entire group on the PC.  So, if you have the user "fred" who is an admin of their machine, it'll cause trouble.
If you use this route, make sure that you include Domain Admins! :-)

There's an excellent article and example at http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
This explains how to do it with both scripts and restricted groups.

As for whether or not this is a good idea....
The PC Admins will have complete control over the PCs.  They can install anything, remove anything or change any settings.  They could even remove your admin rights from the PC.

Make sure that you trust the people doing this and that they understand what they're doing.  If the PCs are pretty standard, I suggest you use some sort of disk imaging (Ghost for example) so that it's easy for you to "put things right".  If they're installing a variety of trial software you'll need to do a reinstall once in a while.

Essentially, make sure the users know how to behave - and that you keep a baseball bat in your office in case they don't.

Let me know if you need any more help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259902
Scampgb,

Thanks for taking the time out to review my problem. I do trust.....erm..some of the users but don't want to tempt fate. Your advice is useful, I think that for a select few I might be alright. I install all images from a RIS build and most of the main applications have MSI's bolted onto a GPO so it isn't the end of the world to wipe and start again. I generally run this once a summer anyway, just for a clean slate.

I think that now I know that it is possible, I will try it with a few specific users and see how I get on. The ones that still feel the CDROM Drive is an elaborate coffee mug holder can......feel the wrath of my freshly varnished baseball bat.

Appreciate the help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259948
apologies for spelling your name wrong too......
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 15

Expert Comment

by:scampgb
ID: 12259998
SeventhZen:
> apologies for spelling your name wrong too......
Nope - you got it right.  I was daft enough to choose a nickname that doesn't display well in many fonts! :-)

Although I said use "a" PC Admins group, there's no reason why you need to restrict it to one.
For example:

Classroom 1         PC Admins Classroom 1
Classroom 2         PC Admins Classroom 2
Classroom 3         PC Admins Classroom 3
Classroom 4         PC Admins Classroom 4
Classroom 5         PC Admins Classroom 5

Assuming that each classroom is in an OU of it's very own.  That way you can restrict which of your admins have access to which PCs.

Incidentally, where else would I put my coffee?

Glad I could help :-)

0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12409461
Scampgb,

That is even better, that way I can allow Main School users control over their machines without allowing them access to installing software on Science machines for example, thus allowing a bit more tracking as to who does what.

Cheers, that was a big help.

Re: coffee, get it inside your system as quickly as possible. Coffee is good, coffee is your friend, gets you through the day. Then like christmas dinner, wants to make you fall asleep infront of the telly. I wouldn't risk the danger of sacrificing the nectar to the snatching CDROM demon............[note to myself - get out more.] ;-)
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12409575
Glad I could help :-)


0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now