chris000
asked on
Active Directory - How To: Local Admin
Hi,
Totally new to Active Directory..... Urgent (and possibly more than one question?) - so 500 points.
One person (other than me) requires full admin access to the domain controller machine - for everything APART from changing Active Directory related settings etc.
A couple of users require "real" Administration rights locally to their machine only.
Almost everyone requires local Adminstration rights to all Norton Anti Virus live update to run.
My question(s) are:
How do I allow Admin access to a user for all tasks except amending the Active Directory related "stuff"
How do I make someone an Administrator for their machine only? Preferably with the ability to manage this via Active Directory - rather than having to tinker with every machine locally.
Cheers.
Totally new to Active Directory..... Urgent (and possibly more than one question?) - so 500 points.
One person (other than me) requires full admin access to the domain controller machine - for everything APART from changing Active Directory related settings etc.
A couple of users require "real" Administration rights locally to their machine only.
Almost everyone requires local Adminstration rights to all Norton Anti Virus live update to run.
My question(s) are:
How do I allow Admin access to a user for all tasks except amending the Active Directory related "stuff"
How do I make someone an Administrator for their machine only? Preferably with the ability to manage this via Active Directory - rather than having to tinker with every machine locally.
Cheers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You shouldn't need local admin rights for Live Update to run. My users are restricted users and LiveUpdate runs correctly for them.
ASKER
Thanks.
If I understand you correctly, if someone can administer the machine, they can amend the Active Directory settings? (Can another group like Server Operator be used instead of administrator? Person needs to be able to reboot, backup, tweek IIS (for SUS) and thats about it)
In the ideal world I'd not add the general users to local admin...... But according to Symantec I need to do this:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/d3c44a1678bd8f45852566aa005902cb/ddff30e8c11384c688256a31005cf0d7?OpenDocument&prod=Norton%20AntiVirus&ver=2003%20for%20Windows%202000/Me/98/XP&src=sg&pcode=nav&svy=&csm=no
I'm not using Norton AntiVirus Corporate Edition - maybe I should.
I'm curious - how do you get restricated user to run LiveUpdate -> I appreciate this is another question, so more points available if this one can be solved!
If I understand you correctly, if someone can administer the machine, they can amend the Active Directory settings? (Can another group like Server Operator be used instead of administrator? Person needs to be able to reboot, backup, tweek IIS (for SUS) and thats about it)
In the ideal world I'd not add the general users to local admin...... But according to Symantec I need to do this:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/d3c44a1678bd8f45852566aa005902cb/ddff30e8c11384c688256a31005cf0d7?OpenDocument&prod=Norton%20AntiVirus&ver=2003%20for%20Windows%202000/Me/98/XP&src=sg&pcode=nav&svy=&csm=no
I'm not using Norton AntiVirus Corporate Edition - maybe I should.
I'm curious - how do you get restricated user to run LiveUpdate -> I appreciate this is another question, so more points available if this one can be solved!
ASKER
BTW - if relevent (should have said this first!)
Domain Controller is WIN2003 standard
Person(s) who need local admin are WIN2000 (you've answer this already - thanks)
All other users run XP PRO SP2
The XP users run either NAV2004 or NAV2005
They only currently use local admin to allow LiveUpdate to run (as I understood it this was required, see above link)
Domain Controller is WIN2003 standard
Person(s) who need local admin are WIN2000 (you've answer this already - thanks)
All other users run XP PRO SP2
The XP users run either NAV2004 or NAV2005
They only currently use local admin to allow LiveUpdate to run (as I understood it this was required, see above link)
Yes, I would highly suggest using symantec corp. edition...this is what I use and you can set it up to run live update automatically no matter who is logged in plus you can remotely control scans, etc if you set it up as managed.
ASKER
One for the next quarter - splurged all the budget on Active Directory machine!
Thanks for your rapid responses.
Thanks for your rapid responses.
When a server is a domain controller then you don't have a local account database on that system......so there are no local users on a domain controller like their are on workstations or non DC servers.
You can try the server operators group, that should give them the rights they need for basic tasks. Here is some more info on domain groups:
http://channels.lockergnome.com/it/archives/20050302_windows_server_2003_default_domain_local_groups.phtml
You can try the server operators group, that should give them the rights they need for basic tasks. Here is some more info on domain groups:
http://channels.lockergnome.com/it/archives/20050302_windows_server_2003_default_domain_local_groups.phtml