Windows 2003 Groups membership

Hi there,

I have installed a fresh new Windows server 2003 enterprise server and upgraded it to a domain controller. There is one Exchange server 2003 Enterprise edition.

Now I have created Different different OUs in Active  Directory and created users in them.

Now I have 6 users in helpdesk team who need to do day today routine adminstrative task on the desktop computers in domain. These users do not work on servers. Now i want to provide these users the permissions on the computer they logon to that is equivalent to the local Administrator of that computer so that they can perform the software installation, data copy from user's profile to other profile, change security permissions on files etc.

For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.

Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.

Third thing I created two groups one global security and another domain local security group. Then I added few users to the domain local security group and added the same users to the global security group also. Now i tried giving the shared permission on some folders on which everyone has full controll NTFS permission. But the members on these groups are still not able to access those folders. they get access denied message, where as if i give share permission to users directly rather then giving permissions to the groups, it works fine.Tellme what kind of groups i need to make so that i can gib=ve permission to the group and the users of that group get the neccesssary permission.

The Domain functional level is Windows 2000 (Mixed). And the Forest Functional Level is Windows 2000..

Please help me understanding these problems.


Thanks
LVL 3
iwontleaveyouAsked:
Who is Participating?
 
mikeleebrlaConnect With a Mentor Commented:
>>For this i created one domain local security group and added all these 6 users to this group. Now which group should i add this domain local group to so that these users can get the necessary rights.
you need to create a group called helpdesk,,,, then you need to make the helpdesk group a member of the local administrator's group on every PC that you want them to manage.

>>Second thing I tried making these users the member of Administrator group in Builtin container. But still these users dont have administrative permission on the computer they logon to. I then tried adding them to domain admins group also, still no luck. The only group that worked is enterprise admins which itself is the member of the Administrators group in builtin container. ------>Quiet confusing for me and strange also.
enterprize admins is built in like you said,,, since you dont want to use the built in group for your helpdesk users, you will have to create a new one called 'helpdesk' or something and make it a local admin on all PCs you want them to manage, like i mentioned above,,,, this is by design.


dont mess with giving 'share' permissions and then applying NTFS permissions as well.  simply give everyone full control via sharing permissions and then let NTFS handle security..... that way you dont have two different security mechanisms fighting eachother.


it sounds like you are just making your security groups, (local, domain local, domain global and domain universal) without understanding what the different group levels are used for.  See this link which exlains what they are used for:

http://www.experts-exchange.com/Security/Q_21044157.html

0
 
waqaswasibConnect With a Mentor Commented:
hey y dont u add there account in the local pc as local administrator account
u can do it by doing this
after joinning domain just login by administrator account on local pc rather than domain
rite click my computer>manage>local users & groups>add helpdesk account in administrators group
there is one more way
start>control panel>user accounts>add>username & domain
hope this will help u
bye
0
 
iwontleaveyouAuthor Commented:
First of all thnx for your reply.

>>you need to create a group called helpdesk,,,, then you need to make the helpdesk group a member of the local administrator's group on every PC that you want them to manage.

I want these 6 users to manage 500 PCs. For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group. Then where is the ease of administration. please provide an alternate solution.

0
 
mikeleebrlaCommented:
>>For this I need to logon to all 500 Pcs first and then add the HELPDESK group to the local admin group.
not true, assuming that all of these machines are connected to the network and are in the domain you can do all of this over the network.  That is the point of having a domain and a network after all (so you dont have to go to every client machines to change settings via sneakernet)

all you need to do is below... it is copied from another EE user in your exact situation.


Set a startup script in group policy with the following line:

NET localgroup Administrators /add "domain_name\HELPDESK

That's it....the next time the computers are started, the group will be added to the local admin group.

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21289460.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.