Windows 2003 Groups membership
Hi there,
I have installed a fresh new Windows server 2003 enterprise server and upgraded it to a domain controller. There is one Exchange server 2003 Enterprise edition.
Now I have created Different different OUs in Active Directory and created users in them.
Now I have 6 users in helpdesk team who need to do day today routine adminstrative task on the desktop computers in domain. These users do not work on servers. Now i want to provide these users the permissions on the computer they logon to that is equivalent to the local Administrator of that computer so that they can perform the software installation, data copy from user's profile to other profile, change security permissions on files etc.
For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.
Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.
Third thing I created two groups one global security and another domain local security group. Then I added few users to the domain local security group and added the same users to the global security group also. Now i tried giving the shared permission on some folders on which everyone has full controll NTFS permission. But the members on these groups are still not able to access those folders. they get access denied message, where as if i give share permission to users directly rather then giving permissions to the groups, it works fine.Tellme what kind of groups i need to make so that i can gib=ve permission to the group and the users of that group get the neccesssary permission.
The Domain functional level is Windows 2000 (Mixed). And the Forest Functional Level is Windows 2000..
Please help me understanding these problems.
Thanks
I have installed a fresh new Windows server 2003 enterprise server and upgraded it to a domain controller. There is one Exchange server 2003 Enterprise edition.
Now I have created Different different OUs in Active Directory and created users in them.
Now I have 6 users in helpdesk team who need to do day today routine adminstrative task on the desktop computers in domain. These users do not work on servers. Now i want to provide these users the permissions on the computer they logon to that is equivalent to the local Administrator of that computer so that they can perform the software installation, data copy from user's profile to other profile, change security permissions on files etc.
For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.
Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.
Third thing I created two groups one global security and another domain local security group. Then I added few users to the domain local security group and added the same users to the global security group also. Now i tried giving the shared permission on some folders on which everyone has full controll NTFS permission. But the members on these groups are still not able to access those folders. they get access denied message, where as if i give share permission to users directly rather then giving permissions to the groups, it works fine.Tellme what kind of groups i need to make so that i can gib=ve permission to the group and the users of that group get the neccesssary permission.
The Domain functional level is Windows 2000 (Mixed). And the Forest Functional Level is Windows 2000..
Please help me understanding these problems.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group.
not true, assuming that all of these machines are connected to the network and are in the domain you can do all of this over the network. That is the point of having a domain and a network after all (so you dont have to go to every client machines to change settings via sneakernet)
all you need to do is below... it is copied from another EE user in your exact situation.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\HELPDESK
That's it....the next time the computers are started, the group will be added to the local admin group.
https://www.experts-exchange.com/questions/21289460/Adding-domain-group-to-the-local-Administrators-group.html
not true, assuming that all of these machines are connected to the network and are in the domain you can do all of this over the network. That is the point of having a domain and a network after all (so you dont have to go to every client machines to change settings via sneakernet)
all you need to do is below... it is copied from another EE user in your exact situation.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\HELPDESK
That's it....the next time the computers are started, the group will be added to the local admin group.
https://www.experts-exchange.com/questions/21289460/Adding-domain-group-to-the-local-Administrators-group.html
ASKER
>>you need to create a group called helpdesk,,,, then you need to make the helpdesk group a member of the local administrator's group on every PC that you want them to manage.
I want these 6 users to manage 500 PCs. For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group. Then where is the ease of administration. please provide an alternate solution.