Solved

Network admin and domain admin accounts and local admin with in the network

Posted on 2006-11-22
4
273 Views
Last Modified: 2010-04-19
Hi there,
        here is what we are trying to do. We have 3 people here that deal with servers one sbs 2003 and a couple 2003 standard servers. What we want is one network admin account and 3 domain admin accounts. The domain admin accounts we do not want to have access to be able to reset the password for the network admin account or add them selfs to that group.

As well we want to make a security group or something along this line for local administrators. There are some people on this network that should have access to install software on there own computer as well as others. We do not want to go to each computer and add them as a local administrator due to the number of computers that we have on the network, as well if we need to revoke there rights we don't want to have to remove them from each machine. Wondering how we could do this, we were thinking that we could make a security group and then add the group to each machine as a local admin.

thanks for any input

Tom
0
Comment
Question by:tstinson1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 17998333
Unfortunately there is no such thing as a "Network Admin" level in Active Directory.  A Domain Administrator is all-powerful.  You cannot restrict anything for someone at that level.

You CAN make any regular user a member of the LOCAL Administrators group on any of your servers except SBS as long as those servers are not Domain Controllers.  Domain Controllers do not have LOCAL user accounts.

As for adding users to the local administrators group for all of your workstations, this is actually done automatically.  When you join a workstation to your domain using the correct method of http://<servername>/connectcomputer you are asked which user account you want to assign to that computer.  This account is automatically added to that computer's LOCAL Administrator group (the Domain Admins group is also added to the LOCAL Administrator group).

Jeff
TechSoEasy
0
 

Author Comment

by:tstinson1980
ID: 17998789
Okay with the information you that you gave us we were able to head in towards what we want. We made a security group called company power users and gave that group access to things such as remote desktop print operator etc. This will work for us a as a fully functioning account below the domain admin account. This account also does not have access to the domain admin group meaning it can not change the password nor can it add it's self to the domain admin group.

But obviously this account has no power on the end computers, so how can i get this security group to have local admin rights on all the workstations that are already joined to the network? I do not want to give the individual users the access, just the security group.
0
 

Author Comment

by:tstinson1980
ID: 17999125
we have solved the issues thanks very much
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18000305
There already IS a Domain Power Users group that is configured by default in SBS and has a pre-configured user template that you could use for these folks.  The Domain Power Users Group has remote access rights to any computer on the network.

Jeff
TechSoEasy
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question