?
Solved

Delegating Control of Machines

Posted on 2004-10-08
6
Medium Priority
?
225 Views
Last Modified: 2010-04-19
Greetings,

I am looking at ways in which I can allow certain users more control over their clients. I want to allow some staff members the ability to install software. The reason being that we get a lot of trial educational applications and it is time consuming to always have to install this under admin status and I simply don't have the man power in my department of one. I am not sure how to go about this and would also appreciate any comments, especially if anyone felt this would really be a stupid move to allow set groups this function. I have thought about all the potential "catastrophies" but to allow more control seems like a viable option to try. Failing that I could always try to grow more arms and extend the hours of natural daylight.

Is it a GPO over the machine OU's or restructuring the grouping?

Thanks
0
Comment
Question by:SeventhZen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 15

Accepted Solution

by:
scampgb earned 2000 total points
ID: 12257198
Hi SeventhZen,

Have you tried growing more arms?  It might be a bit quicker ;-)

It sounds like you need to make certain users members of the Local Administrators groups on a bunch of PCs.
This will allow those users complete access to the PCs.  

I'm assuming that the PCs you're talking about here are Win2000 Pro or WinXP Pro.

Firstly, create a security group of "PC Admins".  Put the people you want in this group.

What you need to do next will depend on how your OUs are arranged.  If you want to update permissions on all the PCs in (a) specific OU(s) then you can use Global Policy for doing it.

If it's not that clearly defined, you can update it manually from your PC (assuming you're logged in as an admin that has rights over the remote ones!):
Right-click My Computer, Manage
Action > Connect to another computer
Choose the PC you want to update
(getting hazy now as I've not got one of these in front of me...)
Go into local users & groups
Groups
Open the "Administrators" group.  Add your Domain "PC Admins" security group as a member of this group.

Job done :-)


Using GPO, you've got two options - login script or Restricted Groups.
Restricted Groups will overwrite the entire group on the PC.  So, if you have the user "fred" who is an admin of their machine, it'll cause trouble.
If you use this route, make sure that you include Domain Admins! :-)

There's an excellent article and example at http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
This explains how to do it with both scripts and restricted groups.

As for whether or not this is a good idea....
The PC Admins will have complete control over the PCs.  They can install anything, remove anything or change any settings.  They could even remove your admin rights from the PC.

Make sure that you trust the people doing this and that they understand what they're doing.  If the PCs are pretty standard, I suggest you use some sort of disk imaging (Ghost for example) so that it's easy for you to "put things right".  If they're installing a variety of trial software you'll need to do a reinstall once in a while.

Essentially, make sure the users know how to behave - and that you keep a baseball bat in your office in case they don't.

Let me know if you need any more help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259902
Scampgb,

Thanks for taking the time out to review my problem. I do trust.....erm..some of the users but don't want to tempt fate. Your advice is useful, I think that for a select few I might be alright. I install all images from a RIS build and most of the main applications have MSI's bolted onto a GPO so it isn't the end of the world to wipe and start again. I generally run this once a summer anyway, just for a clean slate.

I think that now I know that it is possible, I will try it with a few specific users and see how I get on. The ones that still feel the CDROM Drive is an elaborate coffee mug holder can......feel the wrath of my freshly varnished baseball bat.

Appreciate the help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259948
apologies for spelling your name wrong too......
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 15

Expert Comment

by:scampgb
ID: 12259998
SeventhZen:
> apologies for spelling your name wrong too......
Nope - you got it right.  I was daft enough to choose a nickname that doesn't display well in many fonts! :-)

Although I said use "a" PC Admins group, there's no reason why you need to restrict it to one.
For example:

Classroom 1         PC Admins Classroom 1
Classroom 2         PC Admins Classroom 2
Classroom 3         PC Admins Classroom 3
Classroom 4         PC Admins Classroom 4
Classroom 5         PC Admins Classroom 5

Assuming that each classroom is in an OU of it's very own.  That way you can restrict which of your admins have access to which PCs.

Incidentally, where else would I put my coffee?

Glad I could help :-)

0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12409461
Scampgb,

That is even better, that way I can allow Main School users control over their machines without allowing them access to installing software on Science machines for example, thus allowing a bit more tracking as to who does what.

Cheers, that was a big help.

Re: coffee, get it inside your system as quickly as possible. Coffee is good, coffee is your friend, gets you through the day. Then like christmas dinner, wants to make you fall asleep infront of the telly. I wouldn't risk the danger of sacrificing the nectar to the snatching CDROM demon............[note to myself - get out more.] ;-)
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12409575
Glad I could help :-)


0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question