Solved

Network admin and domain admin accounts and local admin with in the network

Posted on 2006-11-22
4
275 Views
Last Modified: 2010-04-19
Hi there,
        here is what we are trying to do. We have 3 people here that deal with servers one sbs 2003 and a couple 2003 standard servers. What we want is one network admin account and 3 domain admin accounts. The domain admin accounts we do not want to have access to be able to reset the password for the network admin account or add them selfs to that group.

As well we want to make a security group or something along this line for local administrators. There are some people on this network that should have access to install software on there own computer as well as others. We do not want to go to each computer and add them as a local administrator due to the number of computers that we have on the network, as well if we need to revoke there rights we don't want to have to remove them from each machine. Wondering how we could do this, we were thinking that we could make a security group and then add the group to each machine as a local admin.

thanks for any input

Tom
0
Comment
Question by:tstinson1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 17998333
Unfortunately there is no such thing as a "Network Admin" level in Active Directory.  A Domain Administrator is all-powerful.  You cannot restrict anything for someone at that level.

You CAN make any regular user a member of the LOCAL Administrators group on any of your servers except SBS as long as those servers are not Domain Controllers.  Domain Controllers do not have LOCAL user accounts.

As for adding users to the local administrators group for all of your workstations, this is actually done automatically.  When you join a workstation to your domain using the correct method of http://<servername>/connectcomputer you are asked which user account you want to assign to that computer.  This account is automatically added to that computer's LOCAL Administrator group (the Domain Admins group is also added to the LOCAL Administrator group).

Jeff
TechSoEasy
0
 

Author Comment

by:tstinson1980
ID: 17998789
Okay with the information you that you gave us we were able to head in towards what we want. We made a security group called company power users and gave that group access to things such as remote desktop print operator etc. This will work for us a as a fully functioning account below the domain admin account. This account also does not have access to the domain admin group meaning it can not change the password nor can it add it's self to the domain admin group.

But obviously this account has no power on the end computers, so how can i get this security group to have local admin rights on all the workstations that are already joined to the network? I do not want to give the individual users the access, just the security group.
0
 

Author Comment

by:tstinson1980
ID: 17999125
we have solved the issues thanks very much
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18000305
There already IS a Domain Power Users group that is configured by default in SBS and has a pre-configured user template that you could use for these folks.  The Domain Power Users Group has remote access rights to any computer on the network.

Jeff
TechSoEasy
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question