mrmad1966
asked on
Allowing users local administrative rights
Hi Fellow Geeks !
Can anyone tell me how OR point me to a step by step guide on how to do the following.
I have a Win 2003 standard server running as DC...2x desktop PC's & 4 laptops. One user needs to have admin access when logging on to some computers EXCEPT DC.. How can I acheive this ??
Thanks in advance !!
John
Can anyone tell me how OR point me to a step by step guide on how to do the following.
I have a Win 2003 standard server running as DC...2x desktop PC's & 4 laptops. One user needs to have admin access when logging on to some computers EXCEPT DC.. How can I acheive this ??
Thanks in advance !!
John
Bad idea, putting his account in the local admin group on all machines. This is a nightmare to manage.
If you MUST make him a local admin (NEVER a good idea, but there are some poorly written software programs that require it), then create a group in Active Directory - something called "Local Admins" or something like it - then put the user in that group. Go to each workstation and put the "local admins" group into the local "Administrators" group. By doing this is becomes VERY easy to remove the user from the local admins on all workstations and likewise, very easy to add another user if you need to.
If you MUST make him a local admin (NEVER a good idea, but there are some poorly written software programs that require it), then create a group in Active Directory - something called "Local Admins" or something like it - then put the user in that group. Go to each workstation and put the "local admins" group into the local "Administrators" group. By doing this is becomes VERY easy to remove the user from the local admins on all workstations and likewise, very easy to add another user if you need to.
suppose you can do that too... same result... easier to manage
Keep in mind that it is problably better for that user to have atleast 2 AD accounts. One for normal use, and the other to use only when he needs Admin rights (to install applications and so on) so he isnt always on as a local admin when he doesnt need to be.
Keep in mind that it is problably better for that user to have atleast 2 AD accounts. One for normal use, and the other to use only when he needs Admin rights (to install applications and so on) so he isnt always on as a local admin when he doesnt need to be.
ASKER
Hi all..
leew's answer does do the job, but if my network were larger or geographicaly different, is there no other option than edit the local Users Group on each workstation...??? Thanks
leew's answer does do the job, but if my network were larger or geographicaly different, is there no other option than edit the local Users Group on each workstation...??? Thanks
You can create a GPO that adds a user to the local administrators group. It all depends on what you want to do exactly. What rights do you want this super-user to have?
ASKER
I'd like him to be able to install software..But obviously NOT on the DC. I do not want him to be able to log on locally to the DC!
If you want them to install software, you have to give them local administrator rights. Either add them manually to the local group or via GPO.
I am not sure how to use GPO to do what vnicolae is saying, but
If you create multiple GPO's that correspond with the different OU's in AD you can push GPO Updates to your computers while skipping your DC.
But for a 6 computer domain... Might just be easier to do what me or leew said at the beginning.
If you create multiple GPO's that correspond with the different OU's in AD you can push GPO Updates to your computers while skipping your DC.
But for a 6 computer domain... Might just be easier to do what me or leew said at the beginning.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Control panel, user accounts, then find his AD account on the domain.