Solved

How to provide admin access

Posted on 2006-11-10
18
264 Views
Last Modified: 2010-04-18
Hello guys

  in my organization, i need to give some admin access in domain like he is a helpdesk guy, so he needs to install new machine, add printer, do some small jobs on server, but i dont want him to have domain admin access is there is any way i can give such access?

Thanks in advance

Suresh
0
Comment
Question by:xavier_amala
  • 9
  • 5
  • 4
18 Comments
 
LVL 9

Accepted Solution

by:
SamuraiCrow earned 150 total points
Comment Utility
Delegation is probably what you need to accomplish most of what you are looking for.  Take a read when you get a chance:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

If you need him to do admin tasks on workstations you should add a helpdesk group to the Administrators group on the workstation via computer startup script.  Here is an example of the syntax:

net localgroup administrators "domain\Helpdesk" /add

Hope this helps
Let me know if you would like clarification or have follow up questions

Crow
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey samurai

  let me try this monday morning and i will let you know

Thanks
Suresh
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

  let me explain clearly, i created a group called " Domain Helpdesk" and addedd two Helpdesk guys as the member of this group, i need to add this group to all my workstation at a time without going to each machine and add mannually... Please Help

Thanks Again
Suresh
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
You're halfway there:

Next create a computer startup script in a group policy that gets applied to all of your computers in active directory.  In that script add the line:

net localgroup administrators "domainname\Domain Helpdesk" /add

You will need to put your domain name in before the \ in the previous statement.  When the computers startup they will process this command from group policy and add the "domain helpdesk" group to the local administrators group on any workstation that runs the policy.  
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

  i am not able to add this in Group policy help how to do this for a special OU

Thanks
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
When you say 'special OU' are you referring to the default computers OU?  If so you will not be able to add a group policy on this OU level (It would have to be done at the default domain policy which I wouldn't reccomend).  In most organizations I've worked at we have always organized our computers under a new OU called Domain Computers (or whatever else you would want to call it).  You can organize them however you want beneath that level (site, department, etc...) but this gives you a place other then the default domain policy to add group policies.  My tree looks something like this:

Domain Computers - All client computers
Domain Controllers - All DCs
Domain Servers - All servers
Domain Users - All User Accounts

If your computers are in the default special folder I would suggest creating a new OU to house them in.  They will still get the default domain policy and any other GPOs that are being pushed down.
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

  You are ture, i have all my computers except servers on default computers, i am planning to create new OU for all client computers.What should i do after creating another OU and move all my client computers.

Thanks
0
 
LVL 5

Assisted Solution

by:trarthur
trarthur earned 100 total points
Comment Utility
After creating the new OU and moving the computers in there, create the GPO's and apply them to the new OU.

Get the GPMC if you haven't already downloaded it.

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

  i create the GPO i can see the script running at backgroud when i login from my mahcine but for some reason its not adding the Admin group

Here is my script

net localgroup administrators "Domain\DomainHelp" /add

I saved this as BAT file and saved under statup script on C:\windows\Sysvol\Policies\702.....\machine\startup\..

i dont where i do mistake

Thanks for help
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 5

Expert Comment

by:trarthur
Comment Utility
What happens when you do

net localgroup administrators "Domain\DomainHelp" /add

from a command prompt?  Does the group get added?

Also, are there any GPOs that are making changes in the Restricted Groups?

If there is, that is the problem.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
This should run under the computer startup script (not the user login script).  This should run before you login to the computer.  Double check the GPO and make sure it is a computer startup script.
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

   let me check this

Thanks
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey guys

  i checked again but still not working, i have added my scipt on GPO

computer configuration --> Windows Settings --> Scripts --> Start up --> <Script.bat>

do i need to specify anything on Parameters?

Please help

Thanks
0
 
LVL 5

Expert Comment

by:trarthur
Comment Utility
What happens when you do

net localgroup administrators "Domain\DomainHelp" /add

from a command prompt?  Does the group get added?
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
Earlier you had mentioned the group name was Domain Help (With a space).  That would neccesitate the syntax to read thusly:

net localgroup administrators "<Your domain name>\Domain Help" /add
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey

Net localgroup administrators "<Domainname\DomainHelp" /add this works in command prompt and the group get added, but not through GPO

Thanks

Suresh
0
 
LVL 5

Expert Comment

by:trarthur
Comment Utility
If you have verified that the script is set to run under the computer configuration and it's still not running,
I would enable logging to see what the errors are.
0
 

Author Comment

by:xavier_amala
Comment Utility
Hey Guys

  It works fine, i am a dump i didnt restart the machine.. Sorry

Thanks
Xavier
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now