[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 174
  • Last Modified:

Windows 2000 AD Group Delegration Help

Right now I'm running a winodws 2000 domain. I want to give my four help desk users the ability to do the following ONLY
-Able to add / remove a pc to the domain.
-reset user's password. but cannot reset domain admin or service account password
-is a member of the local admin's group on all workstation and not on servers!!!!!!!!!

Any thoughts?
0
compdigit44
Asked:
compdigit44
2 Solutions
 
Mike KlineCommented:
For the first two you can use the delegation control wizard and give those rights to the help desk group (place the users in a group)  -- see screen shot
For the admin group task I's use restricted groups.  Florian has a great blog on the subject here
http://www.frickelsoft.net/blog/?p=13
One thing to note, with restricted groups you can either add to what is there or wipe out what is there and add new groups.
For this you just want to add the help desk group so just remember that part.  I'd test on a few machines first so you get a feel for it.   Then link the policy to the OU where your workstations are located.
Thanks
Mike

Delegation-Wizard.jpg
0
 
compdigit44Author Commented:
DO you have any suggestions on using the Restricted groups policy...Here is a question what if a user is has local admin rights on there specific workstation. I don't want this policy to wipe this out!!!!!! Also I was hope to place this policy at the root of my domain since I have multile OU for multiple different sites..
 yet I don't want my servers to be affected...

please help
0
 
AmericomCommented:
Regarding the Restricted groups policy, everything you need to know how to create and use the GPO are clearly explained in the link provided above from Mike from above. As Mike has suggested, the best way is to test it out. Like create an test OU, place a workstation in the OU then create the GPO for the group you want to add and link the GPO to the OU. This way you can verify if the group you added is in the Administrators group of the workstation in that OU.

Regarding linking the GPO to the domain, that will create more works for you expecially I'm sure there are a lot other machines such as servers that you don't want the GPO to apply to. Also, if you link in the domain level, you have to be careful each time you create new OU that may have machine that you do not want the GPO to apply to, then you end up doing Block Inheritance etc, high maintenance.

What we do is we create a root OU for all workstations and one OU for all servers. Within each OU, we organize the workstation by location. For servers, you may want to organize by function like apps, file, print, database etc., as these functions are more specific and sensistive to servers. Where workstations are more sensitive to location as it will be used by the local users etc. You may consider reorganize your systems this way to eliminate admnistrative overhead.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now