• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1764
  • Last Modified:

How do I create power users in Active Directory?

I am trying to create a group of users that should have power user access assigned to their respective account so that they have, not administrator access, but sufficient access on any Windows 2003 Server. Any help and outlines steps would be appreciated.
0
azsheikh1
Asked:
azsheikh1
  • 3
  • 2
  • 2
  • +4
1 Solution
 
a3kglandCommented:
What rights do you want to assign to the users that logon the windows 2003 server? I guess that you are referring to a terminal server enviroment?

0
 
Mike KlineCommented:
You may want to add them to server operators.  More on the built-in groups here
http://technet.microsoft.com/en-us/library/cc756898.aspx
Default groups: Active Directory
Not sure if any of those groups will meet your requirments but take a look and let us know,.
Thanks
Mike
 
0
 
snowdog01Commented:
azsheikh1,
It sounds like you want a group of users to have power user permission on some servers, not user workstations.  Check out the link below on adding user through Active Directory (AD) to a restricted group.  ***Caution should be used as to restrict this to servers only and not affect the workstations.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23294902.html
 
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
Donald StewartNetwork AdministratorCommented:
Here's a better guide to restriced groups
 
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html 
0
 
Mike KlineCommented:
The problem with power users via a restricted group is that power users is not a built-in group in Active directory so you can't choose that group when you select "add group" using the restricted groups setting.
 
Thanks
Mike
0
 
kavlinsCommented:
There isnt a builtin Power user group in AD. You can either add that group to Server Operators or add it to local power users group on those machines ...
 
0
 
snowdog01Commented:
In order to not affect the user workstations, my recommendation is to place the users in the local server's power user group, via the restricted group in the OU.  The beauty of this solution is that the users can be removed from the AD group at-will.
0
 
Donald StewartNetwork AdministratorCommented:
If you run gpmc.msc from an xp workstation you will then be able to add the power users group into restricted groups
0
 
azsheikh1Author Commented:
Thanks to all that have posted.

dstewartjr,

I have taken a look at the link you posted. I see where to configure the restricted groups, but I'm a little confused. When adding which groups and users have membership to restricted groups it looks like they are all adding administrator accounts. If I'm understanding this correctly, adding administrator users and groups to the membership of restricted groups will make all other accounts restricted after applying it to the OU where the computer accounts are located. Is that correct?

Thanks again!
0
 
Donald StewartNetwork AdministratorCommented:
No this is not correct, the user or groups that you add will become power users and all other groups will be left alone. But if there were any users that were locally added to the power users group(I.e done from any of the local client machines) those users will be removed from the local power users group. This goes the same if you say added a security group(like "accounting group") to the administrators group.
0
 
azsheikh1Author Commented:
I understand now, and that's what I initially thought until I read through the link and saw all of the administrator accounts listed. Thanks for the clarification!
0
 
Rajae Al NajjarNetwork And Systems AdministratorCommented:
Dear,
you can create security group and give them special permissions through delegated control.
for example:
-  join Workstations to domain.
-  reset User accounts passowrds.
- create users or computers accounts.
etc,...

Thanks,
I hope if this solution help you.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now