Link to home
Create AccountLog in
Avatar of Borgs8472

asked on

Allow group to fully administer a selection of machines

I'm very new to active directory having been persuaded by the internal sysadmin to migrate our web hosting and staging environments to AD recently. The initial aim here is to avoid the logging and management cost associated with maintaining scores of different passwords and credentials.

I'm trying to perform what should be a easy starter task. I have created some users and put them in a 'QA Admin' group. I want to delegate all members of these group to have full administrative control on several QA machines which I have already joined to the AD.

I can't work which function or wizard or function to perform to perform this kind of full delegation I'm after!
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

OK, do you mean that QA Admin group should have full control to manage computer objects in Active Directory or that group should be added to local administrators group on those PCs?

RIght-click the OU that the PC's are in, and select the top option of "delegate control".
Assign the group you created.
Use "Create a custom task"
Select "Only the following objects" and tick "computer objects"
Follow the wizard the rest of the way through to determine exactly what rights you want to allocate to the group.
Happy hunting!

Sorry - I possibly misread.
If you want the group member to have full rights locally on the QA machines, then as Krzysztof suggested, add that group to the "Local Admins" group on each QA box. If there are a large number of the machines, you can do this by using a group policy.
Avatar of PeteJThomas
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Apologies to those who posted before me - I was writing that for AGES and no one had posted when I started. :) I just assumed the author meant administer via the local admin group... I hope I'm right, otherwise I just wasted nearly 30mins!! :D lol
Avatar of Borgs8472


Chev_PCN, your info seems most correct. However which is the option beyond 'computer objects' I need to select to allow RDP/Administration?
If you want to allow the group to RDP to the machines, and to administer them, then follow Pete's detailed and excellent steps for putting in a GPO.
As Chev_PCN points out, if you're looking to grant a select group of people the rights to RDP on to a machine and then administer that machine, it's LOCAL permissions you need to enforce, and nothing you do to the computer accounts themselves in AD will allow this.

AD Delegation of Authority is for delegating out the authority to administer the AD objects themselves, to carry out tasks within AD (i.e. moving objects between OUs, resetting passwords, creating GPOs in the first place, etc etc). Any actual tasks that are carried out OUTSIDE of the AD interfaces (ADUC, GPMC etc) generally need to be implemented via group policies (one of the most powerful and useful features of AD in my opinion).

Please don't be put off by the length of the instructions, the process itself (if you know it well) would only take a few minutes to complete. I attempted step-by-step Instructions, and these always read/look more complex than the actual procedure they're explaining.

Many thanks,

You just move all the PCs to a single OU.
Then create a new GPO for that OU and add the group to the administrators of that GPO.
Awesome, though I used 'Administrators' rather than 'Builtin\Administrators'
No worries, just double check that this didn't add your QA Admin group to the Admistrators group for the entire domain (i.e. <DominName>\Administrators, as this is basically the same as adding them to the Domain Admins group (which is itself a member of the Administrators group for the domain).

That's the only reason I always stick builtin\... in front - just to be very clear that I'm aiming at the local administrators group and not the domain administrators group! :)

If you're relatively new to AD, you should definitely do some reading on group policy and all the settings and policies that you can enforce using it. It makes central administration of a vast majority of local machine tasks very easy to control!

Glad we could help,

Actually I think I did do that. It wouldn't allow me to add builtin\Adminstrators!
Hmmmm that's odd... I've used that several times in GPOs, as you can see in the screenshot I've embedded below:

User generated image
We have a 2008 domain, and I can't really remember using any restricted groups GPOs prior to our 2008 implementation, but I can't think why it wouldn't allow that in 2003...

Either way if you search for the 'Administrators' group within AD Users & Computers, and view it's members, by default it should only have the Administrator account and the Domain Admins group in it - If it's got your QA Admin group in it as well, you'll need to take action, as I'm pretty sure you don't want this group able to do anything they want in your domain!

I'd suggest trying to create another GPO, and try again with the BUILTIN\Administrators group specification? As I said, I can't think of a reason this would work...
Oh and on an unrelated note, I just noticed a mistake in my original instructions, so just to be clear on the understanding of this, where I said:

>>> On the next screen, click ADD next to the 'This group is a member of' section. NOTE: Do not click Add on the 'Members of this group' section, as this would have the intent of a wholesale replacement of the memberships of the local admin group on these machines, as opposed to simply the addition of your group. <<<

It should have said that adding to the 'Members of this group' section would have the intent of a wholesale replacement of the memberships of the group you specified at the start (in your case, the QA Admin group), NOT the local admin group like I said...

Sorry, just wanted to clear that up so's not to give the wrong idea!