Solved

Allowing users local administrative rights

Posted on 2007-03-29
9
204 Views
Last Modified: 2010-04-20
Hi Fellow Geeks !
Can anyone tell me how OR point me to a step by step guide on how to do the following.
I have a Win 2003 standard server running as DC...2x desktop PC's & 4 laptops. One user needs to have admin access when logging on to some computers EXCEPT DC.. How can I acheive this ??
Thanks in advance !!
John
0
Comment
Question by:mrmad1966
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 2

Expert Comment

by:emiops
ID: 18817879
promote his AD account on each computer (since you dont have that many to manage) to local administrator.

Control panel, user accounts, then find his AD account on the domain.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18817904
Bad idea, putting his account in the local admin group on all machines.  This is a nightmare to manage.

If you MUST make him a local admin (NEVER a good idea, but there are some poorly written software programs that require it), then create a group in Active Directory - something called "Local Admins" or something like it - then put the user in that group.  Go to each workstation and put the "local admins" group into the local "Administrators" group.  By doing this is becomes VERY easy to remove the user from the local admins on all workstations and likewise, very easy to add another user if you need to.
0
 
LVL 2

Expert Comment

by:emiops
ID: 18817972
suppose you can do that too... same result... easier to manage

Keep in mind that it is problably better for that user to have atleast 2 AD accounts.  One for normal use, and the other to use only when he needs Admin rights (to install applications and so on) so he isnt always on as a local admin when he doesnt need to be.
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 18818325
Hi all..
leew's answer does do the job, but if my network were larger or geographicaly different, is there no other option than edit the local Users Group on each workstation...??? Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:vnicolae
ID: 18818349
You can create a GPO that adds a user to the local administrators group. It all depends on what you want to do exactly. What rights do you want this super-user to have?
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 18818442
I'd like him to be able to install software..But obviously NOT on the DC. I do not want him to be able to log on locally to the DC!
0
 
LVL 4

Expert Comment

by:vnicolae
ID: 18818519
If you want them to install software, you have to give them local administrator rights. Either add them manually to the local group or via GPO.
0
 
LVL 2

Expert Comment

by:emiops
ID: 18818571
I am not sure how to use GPO to do what vnicolae is saying, but

If you create multiple GPO's that correspond with the different OU's in AD you can push GPO Updates to your computers while skipping your DC.

But for a 6 computer domain... Might just be easier to do what me or leew said at the beginning.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18820423
mrmad1966,

I understand the predicament here and have seen it many time due to crappy software - though its been made a little to complex...

Restricted groups will take care of membership
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

As far as the DC side of things goes - edit the default domain controllers policy - computer config - windows settings - security settings - user rights assignment - allow logon locally...just add your Administrator and any other explicit allows.

Regards,

James
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now