?
Solved

Windows 2003 Groups membership

Posted on 2006-05-17
6
Medium Priority
?
192 Views
Last Modified: 2010-07-27
Hi there,

I have installed a fresh new Windows server 2003 enterprise server and upgraded it to a domain controller. There is one Exchange server 2003 Enterprise edition.

Now I have created Different different OUs in Active  Directory and created users in them.

Now I have 6 users in helpdesk team who need to do day today routine adminstrative task on the desktop computers in domain. These users do not work on servers. Now i want to provide these users the permissions on the computer they logon to that is equivalent to the local Administrator of that computer so that they can perform the software installation, data copy from user's profile to other profile, change security permissions on files etc.

For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.

Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.

Third thing I created two groups one global security and another domain local security group. Then I added few users to the domain local security group and added the same users to the global security group also. Now i tried giving the shared permission on some folders on which everyone has full controll NTFS permission. But the members on these groups are still not able to access those folders. they get access denied message, where as if i give share permission to users directly rather then giving permissions to the groups, it works fine.Tellme what kind of groups i need to make so that i can gib=ve permission to the group and the users of that group get the neccesssary permission.

The Domain functional level is Windows 2000 (Mixed). And the Forest Functional Level is Windows 2000..

Please help me understanding these problems.


Thanks
0
Comment
Question by:iwontleaveyou
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 300 total points
ID: 16698046
>>For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.
you need to create a group called helpdesk,,,, then you need to make the helpdesk group a member of the local administrator's group on every PC that you want them to manage.

>>Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.
enterprize admins is built in like you said,,, since you dont want to use the built in group for your helpdesk users, you will have to create a new one called 'helpdesk' or something and make it a local admin on all PCs you want them to manage, like i mentioned above,,,, this is by design.


dont mess with giving 'share' permissions and then applying NTFS permissions as well.  simply give everyone full control via sharing permissions and then let NTFS handle security..... that way you dont have two different security mechanisms fighting eachother.


it sounds like you are just making your security groups, (local, domain local, domain global and domain universal) without understanding what the different group levels are used for.  See this link which exlains what they are used for:

http://www.experts-exchange.com/Security/Q_21044157.html

0
 
LVL 3

Assisted Solution

by:waqaswasib
waqaswasib earned 300 total points
ID: 16720434
hey y dont u add there account in the local pc as local administrator account
u can do it by doing this
after joinning domain just login by administrator account on local pc rather than domain
rite click my computer>manage>local users & groups>add helpdesk account in administrators group
there is one more way
start>control panel>user accounts>add>username & domain
hope this will help u
bye
0
 
LVL 3

Author Comment

by:iwontleaveyou
ID: 16734330
First of all thnx for your reply.

>>you need to create a group called helpdesk,,,, then you need to make the helpdesk group a member of the local administrator's group on every PC that you want them to manage.

I want these 6 users to manage 500 PCs. For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group. Then where is the ease of administration. please provide an alternate solution.

0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 16735238
>>For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group.
not true, assuming that all of these machines are connected to the network and are in the domain you can do all of this over the network.  That is the point of having a domain and a network after all (so you dont have to go to every client machines to change settings via sneakernet)

all you need to do is below... it is copied from another EE user in your exact situation.


Set a startup script in group policy with the following line:

NET localgroup Administrators /add "domain_name\HELPDESK

That's it....the next time the computers are started, the group will be added to the local admin group.

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21289460.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Make the most of your online learning experience.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question