Solved

Delegating Control of Machines

Posted on 2004-10-08
6
177 Views
Last Modified: 2010-04-19
Greetings,

I am looking at ways in which I can allow certain users more control over their clients. I want to allow some staff members the ability to install software. The reason being that we get a lot of trial educational applications and it is time consuming to always have to install this under admin status and I simply don't have the man power in my department of one. I am not sure how to go about this and would also appreciate any comments, especially if anyone felt this would really be a stupid move to allow set groups this function. I have thought about all the potential "catastrophies" but to allow more control seems like a viable option to try. Failing that I could always try to grow more arms and extend the hours of natural daylight.

Is it a GPO over the machine OU's or restructuring the grouping?

Thanks
0
Comment
Question by:SeventhZen
  • 3
  • 3
6 Comments
 
LVL 15

Accepted Solution

by:
scampgb earned 500 total points
Comment Utility
Hi SeventhZen,

Have you tried growing more arms?  It might be a bit quicker ;-)

It sounds like you need to make certain users members of the Local Administrators groups on a bunch of PCs.
This will allow those users complete access to the PCs.  

I'm assuming that the PCs you're talking about here are Win2000 Pro or WinXP Pro.

Firstly, create a security group of "PC Admins".  Put the people you want in this group.

What you need to do next will depend on how your OUs are arranged.  If you want to update permissions on all the PCs in (a) specific OU(s) then you can use Global Policy for doing it.

If it's not that clearly defined, you can update it manually from your PC (assuming you're logged in as an admin that has rights over the remote ones!):
Right-click My Computer, Manage
Action > Connect to another computer
Choose the PC you want to update
(getting hazy now as I've not got one of these in front of me...)
Go into local users & groups
Groups
Open the "Administrators" group.  Add your Domain "PC Admins" security group as a member of this group.

Job done :-)


Using GPO, you've got two options - login script or Restricted Groups.
Restricted Groups will overwrite the entire group on the PC.  So, if you have the user "fred" who is an admin of their machine, it'll cause trouble.
If you use this route, make sure that you include Domain Admins! :-)

There's an excellent article and example at http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
This explains how to do it with both scripts and restricted groups.

As for whether or not this is a good idea....
The PC Admins will have complete control over the PCs.  They can install anything, remove anything or change any settings.  They could even remove your admin rights from the PC.

Make sure that you trust the people doing this and that they understand what they're doing.  If the PCs are pretty standard, I suggest you use some sort of disk imaging (Ghost for example) so that it's easy for you to "put things right".  If they're installing a variety of trial software you'll need to do a reinstall once in a while.

Essentially, make sure the users know how to behave - and that you keep a baseball bat in your office in case they don't.

Let me know if you need any more help.
0
 
LVL 1

Author Comment

by:SeventhZen
Comment Utility
Scampgb,

Thanks for taking the time out to review my problem. I do trust.....erm..some of the users but don't want to tempt fate. Your advice is useful, I think that for a select few I might be alright. I install all images from a RIS build and most of the main applications have MSI's bolted onto a GPO so it isn't the end of the world to wipe and start again. I generally run this once a summer anyway, just for a clean slate.

I think that now I know that it is possible, I will try it with a few specific users and see how I get on. The ones that still feel the CDROM Drive is an elaborate coffee mug holder can......feel the wrath of my freshly varnished baseball bat.

Appreciate the help.
0
 
LVL 1

Author Comment

by:SeventhZen
Comment Utility
apologies for spelling your name wrong too......
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 15

Expert Comment

by:scampgb
Comment Utility
SeventhZen:
> apologies for spelling your name wrong too......
Nope - you got it right.  I was daft enough to choose a nickname that doesn't display well in many fonts! :-)

Although I said use "a" PC Admins group, there's no reason why you need to restrict it to one.
For example:

Classroom 1         PC Admins Classroom 1
Classroom 2         PC Admins Classroom 2
Classroom 3         PC Admins Classroom 3
Classroom 4         PC Admins Classroom 4
Classroom 5         PC Admins Classroom 5

Assuming that each classroom is in an OU of it's very own.  That way you can restrict which of your admins have access to which PCs.

Incidentally, where else would I put my coffee?

Glad I could help :-)

0
 
LVL 1

Author Comment

by:SeventhZen
Comment Utility
Scampgb,

That is even better, that way I can allow Main School users control over their machines without allowing them access to installing software on Science machines for example, thus allowing a bit more tracking as to who does what.

Cheers, that was a big help.

Re: coffee, get it inside your system as quickly as possible. Coffee is good, coffee is your friend, gets you through the day. Then like christmas dinner, wants to make you fall asleep infront of the telly. I wouldn't risk the danger of sacrificing the nectar to the snatching CDROM demon............[note to myself - get out more.] ;-)
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Glad I could help :-)


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Domain and Forest functional levels 11 61
home drive migration 16 66
Question about AD permissions 2 49
inactive users 13 53
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now