• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

how can i give rights to some users to install software on member server without being power users?

Hi
i want to give some users right to install software on member servers (for patches etc) but i dont want them to able to create users.
Also i want them to be able to create computer accounts
and join machines on domains

thanx
Hockland
0
c_hockland
Asked:
c_hockland
  • 3
  • 2
1 Solution
 
Mad_JasperCommented:
For creating users;

Create an Organizational Unit (OU) in Active Directory User and Computers --> Assign the users or groups to the OU as desired --> Right-click the OU and choose Delegate Control --> select the desired check boxes --> Click Next, then Finish.

Those users will now be able to perform the tasks that you selected, such as creating users and computer accounts.
0
 
Mad_JasperCommented:
I completely misread your question but my answer still applies to creating computer accounts and joining machines to domains.

As far as installing patches and software on member servers, I believe that the user will have to have local administrative rights. Local admin rights will not allow users to perform domain-level tasks, only tasks on the member server that the user has been granted administrative control. The user could create local users on the member server, but they would not be domain-wide.

On the member server, right-click My Computer | Manage | Local Users and Groups | Right-Click Users | Select New User.
Once the user is created go to Groups | Administrators | Add | Type in the name of the user that was created | Click OK a couple of times and your are finished.


0
 
c_hocklandAuthor Commented:
my biggest concern is that i want them to have rights to run updates and patches and install software on member servers only (not domain controllers)
0
 
Mad_JasperCommented:
I think this should provide you with the correct solution. I have several users with delegated authority to create users and join computers to domains and it works perfectly.

The only way a user can login in locally to a domain controller is to be a domain admin. Since you would only allow that user local admin rights on a member server, he would not be able to login to a domain controller.

Part of my last post is incomplete.

"On the member server, right-click My Computer | Manage | Local Users and Groups | Right-Click Users | Select New User.
Once the user is created go to Groups | Administrators | Add | Type in the name of the user that was created | Click OK a couple of times and your are finished."

You would only create a new user if the user did not exists in the domain. If the user is a domain member you would go to Groups | Administrators | Add | Type in the name of the user that exists in the domain | click Check Name to verify that the user name is correct. If it is correct, the user's name will be underlined | Click OK a couple of times and your are finished.
0
 
c_hocklandAuthor Commented:
Thank you Mad_Jasper.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now