?
Solved

Create an domain account  that have right to local administrator only

Posted on 2008-01-29
2
Medium Priority
?
216 Views
Last Modified: 2010-08-05
Currenlly all desktop support engineer have administrator account to local computer.
The administrator password is a local admin password.
example:
logon                          : administrator
pass                           : xxxxxx
localCompute              r: comp1   to comp100

Can I create an account in DOMAIN  that have local admin right.
The account SHOULD HAVE LOCALADMIN  RIGHT BUT NOT ANY SERVER RIGHT
How do I assign this group in active directory?

The purpose of this exercise is  to allow centralization of password so I can easily can change the local administrator password.
0
Comment
Question by:Jameseka
2 Comments
 
LVL 86

Accepted Solution

by:
oBdA earned 2000 total points
ID: 20774503
Create a global group "DesktopAdmins" or whatever, add the engineers to this group.
Create a GPO and link it to an OU in which (only) the machines are that you want those users to have administrative permissions on.
In this GPO, define a "Restricted Groups" policy for the Administrators group, in which you only add the Administrator account, the Domain Admins group, and the DesktopAdmins group.
This makes sure the engineers don't add other accounts to the administrators group (or at least not for long ...)

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301
0
 

Author Closing Comment

by:Jameseka
ID: 31426280
Will try around the suggested setting.
Thanks.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month3 days, 13 hours left to enroll

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question