• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Delegating Control of Machines

Greetings,

I am looking at ways in which I can allow certain users more control over their clients. I want to allow some staff members the ability to install software. The reason being that we get a lot of trial educational applications and it is time consuming to always have to install this under admin status and I simply don't have the man power in my department of one. I am not sure how to go about this and would also appreciate any comments, especially if anyone felt this would really be a stupid move to allow set groups this function. I have thought about all the potential "catastrophies" but to allow more control seems like a viable option to try. Failing that I could always try to grow more arms and extend the hours of natural daylight.

Is it a GPO over the machine OU's or restructuring the grouping?

Thanks
0
SeventhZen
Asked:
SeventhZen
  • 3
  • 3
1 Solution
 
scampgbCommented:
Hi SeventhZen,

Have you tried growing more arms?  It might be a bit quicker ;-)

It sounds like you need to make certain users members of the Local Administrators groups on a bunch of PCs.
This will allow those users complete access to the PCs.  

I'm assuming that the PCs you're talking about here are Win2000 Pro or WinXP Pro.

Firstly, create a security group of "PC Admins".  Put the people you want in this group.

What you need to do next will depend on how your OUs are arranged.  If you want to update permissions on all the PCs in (a) specific OU(s) then you can use Global Policy for doing it.

If it's not that clearly defined, you can update it manually from your PC (assuming you're logged in as an admin that has rights over the remote ones!):
Right-click My Computer, Manage
Action > Connect to another computer
Choose the PC you want to update
(getting hazy now as I've not got one of these in front of me...)
Go into local users & groups
Groups
Open the "Administrators" group.  Add your Domain "PC Admins" security group as a member of this group.

Job done :-)


Using GPO, you've got two options - login script or Restricted Groups.
Restricted Groups will overwrite the entire group on the PC.  So, if you have the user "fred" who is an admin of their machine, it'll cause trouble.
If you use this route, make sure that you include Domain Admins! :-)

There's an excellent article and example at http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
This explains how to do it with both scripts and restricted groups.

As for whether or not this is a good idea....
The PC Admins will have complete control over the PCs.  They can install anything, remove anything or change any settings.  They could even remove your admin rights from the PC.

Make sure that you trust the people doing this and that they understand what they're doing.  If the PCs are pretty standard, I suggest you use some sort of disk imaging (Ghost for example) so that it's easy for you to "put things right".  If they're installing a variety of trial software you'll need to do a reinstall once in a while.

Essentially, make sure the users know how to behave - and that you keep a baseball bat in your office in case they don't.

Let me know if you need any more help.
0
 
SeventhZenAuthor Commented:
Scampgb,

Thanks for taking the time out to review my problem. I do trust.....erm..some of the users but don't want to tempt fate. Your advice is useful, I think that for a select few I might be alright. I install all images from a RIS build and most of the main applications have MSI's bolted onto a GPO so it isn't the end of the world to wipe and start again. I generally run this once a summer anyway, just for a clean slate.

I think that now I know that it is possible, I will try it with a few specific users and see how I get on. The ones that still feel the CDROM Drive is an elaborate coffee mug holder can......feel the wrath of my freshly varnished baseball bat.

Appreciate the help.
0
 
SeventhZenAuthor Commented:
apologies for spelling your name wrong too......
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
scampgbCommented:
SeventhZen:
> apologies for spelling your name wrong too......
Nope - you got it right.  I was daft enough to choose a nickname that doesn't display well in many fonts! :-)

Although I said use "a" PC Admins group, there's no reason why you need to restrict it to one.
For example:

Classroom 1         PC Admins Classroom 1
Classroom 2         PC Admins Classroom 2
Classroom 3         PC Admins Classroom 3
Classroom 4         PC Admins Classroom 4
Classroom 5         PC Admins Classroom 5

Assuming that each classroom is in an OU of it's very own.  That way you can restrict which of your admins have access to which PCs.

Incidentally, where else would I put my coffee?

Glad I could help :-)

0
 
SeventhZenAuthor Commented:
Scampgb,

That is even better, that way I can allow Main School users control over their machines without allowing them access to installing software on Science machines for example, thus allowing a bit more tracking as to who does what.

Cheers, that was a big help.

Re: coffee, get it inside your system as quickly as possible. Coffee is good, coffee is your friend, gets you through the day. Then like christmas dinner, wants to make you fall asleep infront of the telly. I wouldn't risk the danger of sacrificing the nectar to the snatching CDROM demon............[note to myself - get out more.] ;-)
0
 
scampgbCommented:
Glad I could help :-)


0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now