Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Delegating Control of Machines

Posted on 2004-10-08
6
Medium Priority
?
232 Views
Last Modified: 2010-04-19
Greetings,

I am looking at ways in which I can allow certain users more control over their clients. I want to allow some staff members the ability to install software. The reason being that we get a lot of trial educational applications and it is time consuming to always have to install this under admin status and I simply don't have the man power in my department of one. I am not sure how to go about this and would also appreciate any comments, especially if anyone felt this would really be a stupid move to allow set groups this function. I have thought about all the potential "catastrophies" but to allow more control seems like a viable option to try. Failing that I could always try to grow more arms and extend the hours of natural daylight.

Is it a GPO over the machine OU's or restructuring the grouping?

Thanks
0
Comment
Question by:SeventhZen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 15

Accepted Solution

by:
scampgb earned 2000 total points
ID: 12257198
Hi SeventhZen,

Have you tried growing more arms?  It might be a bit quicker ;-)

It sounds like you need to make certain users members of the Local Administrators groups on a bunch of PCs.
This will allow those users complete access to the PCs.  

I'm assuming that the PCs you're talking about here are Win2000 Pro or WinXP Pro.

Firstly, create a security group of "PC Admins".  Put the people you want in this group.

What you need to do next will depend on how your OUs are arranged.  If you want to update permissions on all the PCs in (a) specific OU(s) then you can use Global Policy for doing it.

If it's not that clearly defined, you can update it manually from your PC (assuming you're logged in as an admin that has rights over the remote ones!):
Right-click My Computer, Manage
Action > Connect to another computer
Choose the PC you want to update
(getting hazy now as I've not got one of these in front of me...)
Go into local users & groups
Groups
Open the "Administrators" group.  Add your Domain "PC Admins" security group as a member of this group.

Job done :-)


Using GPO, you've got two options - login script or Restricted Groups.
Restricted Groups will overwrite the entire group on the PC.  So, if you have the user "fred" who is an admin of their machine, it'll cause trouble.
If you use this route, make sure that you include Domain Admins! :-)

There's an excellent article and example at http://windows.stanford.edu/Public/Infrastructure/LocalGroup.html
This explains how to do it with both scripts and restricted groups.

As for whether or not this is a good idea....
The PC Admins will have complete control over the PCs.  They can install anything, remove anything or change any settings.  They could even remove your admin rights from the PC.

Make sure that you trust the people doing this and that they understand what they're doing.  If the PCs are pretty standard, I suggest you use some sort of disk imaging (Ghost for example) so that it's easy for you to "put things right".  If they're installing a variety of trial software you'll need to do a reinstall once in a while.

Essentially, make sure the users know how to behave - and that you keep a baseball bat in your office in case they don't.

Let me know if you need any more help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259902
Scampgb,

Thanks for taking the time out to review my problem. I do trust.....erm..some of the users but don't want to tempt fate. Your advice is useful, I think that for a select few I might be alright. I install all images from a RIS build and most of the main applications have MSI's bolted onto a GPO so it isn't the end of the world to wipe and start again. I generally run this once a summer anyway, just for a clean slate.

I think that now I know that it is possible, I will try it with a few specific users and see how I get on. The ones that still feel the CDROM Drive is an elaborate coffee mug holder can......feel the wrath of my freshly varnished baseball bat.

Appreciate the help.
0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12259948
apologies for spelling your name wrong too......
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Expert Comment

by:scampgb
ID: 12259998
SeventhZen:
> apologies for spelling your name wrong too......
Nope - you got it right.  I was daft enough to choose a nickname that doesn't display well in many fonts! :-)

Although I said use "a" PC Admins group, there's no reason why you need to restrict it to one.
For example:

Classroom 1         PC Admins Classroom 1
Classroom 2         PC Admins Classroom 2
Classroom 3         PC Admins Classroom 3
Classroom 4         PC Admins Classroom 4
Classroom 5         PC Admins Classroom 5

Assuming that each classroom is in an OU of it's very own.  That way you can restrict which of your admins have access to which PCs.

Incidentally, where else would I put my coffee?

Glad I could help :-)

0
 
LVL 1

Author Comment

by:SeventhZen
ID: 12409461
Scampgb,

That is even better, that way I can allow Main School users control over their machines without allowing them access to installing software on Science machines for example, thus allowing a bit more tracking as to who does what.

Cheers, that was a big help.

Re: coffee, get it inside your system as quickly as possible. Coffee is good, coffee is your friend, gets you through the day. Then like christmas dinner, wants to make you fall asleep infront of the telly. I wouldn't risk the danger of sacrificing the nectar to the snatching CDROM demon............[note to myself - get out more.] ;-)
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12409575
Glad I could help :-)


0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question