How do I create a power user in active directory

bachopper
bachopper used Ask the Experts™
on
I have asked this question once with no solution.  Going to aske again with more points

I have a laptop user that needs to have local permission to do some trouble shooting with AT&T on his air card.  I do not trust this user as far as I can throw him.  I do not want to change his permission to a power user at a local level.  Can I create a security setting in active directory that will give this user local power user rights.  This way I can give and take away this security to any user any time I want to do so.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
You can use restricted groups if you want to do it from an AD/Group policy level,
Good article on restricted groups here:
http://www.frickelsoft.net/blog/?p=13
So since you only want it to apply to the one computer  you can use security filtering to only apply to the one machine.
More on security filtering here:  http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
A power-user is a power-user, so giving the user a domain-level power user account is infinately more risky than a local power user account.  The risk at the workstation level is if they untrustworthy employee will create a local account on the machine, while he has permission to do so, then login with that account to work his magic.  If you don't give that person that much credit, then you can create a domain group and assign it to the local power-user group on the laptop.  Then assign the one person to the domain group.  Once the Group Policy is up-to-date, the power-user permissions will be his, until you remove him from this special group membership.
 
HTH,
AD has no power user group, but you can manage the local power users group from AD.


make a gpo only for this laptop and in
GPO->Computer Config->Windows->Security->Restricted Groups add the power users group.

Now you can manage the local group via GPO.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

:( not quick enough.
Commented:
Hi,
You have an alternative for the Restricted Group Policy:
 
At the client machine, add the user to a domain group (call it group1). At the domain level (DC), add  group1 to power user. Now whenever you want, you can remrove Group1 from power users group and this way, you can contrl his rights...

Hows that?

Regards,

Arun.

Author

Commented:
Thanks for the quick response everyone but I am lost I have no idea what a GPO is.  I am not very computer savy.  I need step by set instructions here.

Author

Commented:
I do not want to make any changes on the client machine.  This machine is 1500 miles away and I do not want to rely on the user everytime I need to give and take away the security.  This is why I want to learn how to do it in active directory

BA

Author

Commented:
I like the route that snowdog01 is taking now can someone give me step by step instructions

BA

Commented:
Hi,

You dont need to go to the client machine. Just take a remote session and do the needful (this is easiest).

BTW, GPO is group Policy Object.

You can apply a GPO on any AD container like an OU (Organizational Unit), Site or Domain level.

Now you can apply restricted groups policy on domain level and select that user as a member of Power users. and then you can remove it any time.

Here is the location of the policy: (see the image).

image0021101382950147.jpg

Author

Commented:
Ark-ds thanks for the comments but I am lost and have not clue what you want me to do

BA

Commented:
Ok,

Let me be very specific.

If you want to follow my first post (#26441493 above), then you have to do this:

1. Create a group in AD (name is GRP1) (Using DSA.MSC).
2. Take a remote session to the client machine that the user uses.
3. Log on to that machine are you (admin).
4. Open lusrmgr.msc.
5. Expand users.
6. Find that user and go to its properties.
7. Click on 'Members Of' tab.
8. Click Add.
9. Type Domain\GRP1 in the box and press OK.
10. GRP1 should be listed in the 'Member Of' tab now.

------------------------------

Now to control the rights, you will not have to go to client machine again and again. You can simply add GRP1 to 'Power Users' group on the DC and remove it whenever you want to revoke the user's rights.

To add GRP1 to Power USers:

1. Open DSA.MSC on DC.
2. Go to the GRP1 Group.
3. Right click on the GRP1 group and go to properties.
4. Click 'Member Of' tab.
5. Click Add.
6. Type 'Power Users'
7. Click OK.
8. Power USers should appear in Member Of tab.

==> You can simply come to same location and remove power users from the Member Of tab whenever required.

Regards,

Arun.

Commented:
If you want to go for Restricted Groups Policy to achieve this, follow this link:

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

Regards,

Arun.
Top Expert 2013

Commented:
"I have no idea what a GPO is.  I am not very computer savy.  I need step by set instructions here."

Then restricted groups and security filtering may not be the best for your first ever test of group policy...or definitely test it out if you can.

just want to be careful if you have never heard of or used group policy.

Thanks

Mike

Commented:
I agree with Mike, thats why I told you step by step instructions to achieve it by using groups...

Regards,

Arun.

Author

Commented:
Sorry everyone we went on vacation.  Plan to try the solution on Tuesday when I am back in the office

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial