• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 146
  • Last Modified:

Need to create restricted user

Dear All,

I am using windows 2000 Server SP4.

As being an administrator i have all rights on the server. Now i have some support guys in my company who are taking care of PC's level problems. Up to now they know administrator password to add PC's to the domain.
Now i want to create one user from which they can add PC's to the domain and can install software, service packs on it. Other than that i dont want to give any kind of permission to that accout even loggin through terminal serives.

To which group or what kind of permission should i give to that accout ? Give me a short solution instead Links to other sites.

Thanks and Regards
  • 3
1 Solution
in a group policy add the account name to 'add workstations to domain'

hope that help

Nirmal SharmaSolution ArchitectCommented:
Hi Javed,

Your requirement is the following: -

1. Add PC's to the domain
2. Install software, service packs on it.

So here are the steps you want: -

1. Goto Active Directory Users and Computer and Edit the Default Domain Policy and not the Group Policy loacted at Domain Controller's OU because if you edit or change anything in this policy the settings will apply to only domain controllers and not domain members. After editing the Default Domain Policy navigate to the following location: -

\Computer Configuration
       Windows Settings
             Security Settings
                    Local Policies
                           User Rights Assignment

In Right Pane you will find many rights, find the right supplied by dr_binks name "Add workstations to domain".
In this you add the Group you want to have this right.

Now for Software Installation: -
See, by default, only Local Administrtors and Domain Administrators have the highest previlege in a Local machine and domain controller machine respectivily. The member of these two groups can install Softwares and Service Packs on local machine or domain Controller machine. If you want them to install softwares and service packs on Local machine then you have to make them member of either Local Administrator or Domain Admins group but making them member of Domain Admins is not recommended because if you make them member of Domain Admins group then they have more rights to control domain controllers within this domain. So making them the member of Local Administrator group make sense.

Let me know.

javeed_ccnaAuthor Commented:

Dearsystem prog

Clear me last point, How to make a active directory user as a local administrator rights for every PC?
Nirmal SharmaSolution ArchitectCommented:
>>>Clear me last point, How to make a active directory user as a local administrator rights for every PC?
That's an easy job, javed. You can use Group Policy's add group. Add the user to the Administrators group.

Nirmal SharmaSolution ArchitectCommented:

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now