awilderbeast
asked on
user rights to uninstall and install on a domain, do they have to be domain admin? administrator wont enable uninstall...
Hi all,
quick one here,
we have a IT junior now in our office and ive created him a seperate account to install and uninstall software, i put the new account in the administrators group, this lets him install but not uninstall
what rights does he need to do both?
also if it is domain admin, how can i prohibit him rdping in this account to the servers?
Thanks
quick one here,
we have a IT junior now in our office and ive created him a seperate account to install and uninstall software, i put the new account in the administrators group, this lets him install but not uninstall
what rights does he need to do both?
also if it is domain admin, how can i prohibit him rdping in this account to the servers?
Thanks
ASKER
really hmmm, it wont let him uninstall when hes logged in with this account thats a member of administrators, ive seen it myself too
but if administrators can rdp in, i dont want him in that group either
ive created a security group called machine admins, how do i apply features to this group?
i.e uninstall and install software only, thats all i want him to do really
cheers
but if administrators can rdp in, i dont want him in that group either
ive created a security group called machine admins, how do i apply features to this group?
i.e uninstall and install software only, thats all i want him to do really
cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Anyone in the administrators group can by default use RDP. You can block this by using a deny against a different group (that he could be a mamber of) or against his account explicitly (bit nasty though). This isn't ideal as you'd have to make the deny change on each server.
You should have a separate "Server Admins" group that gives server admin right without being a domain admin.
Then have other server admin groups for different types of server, e.g. exchange admins, terminal server admins, SQL admins to make it more granular. Depends on the size of your IT facilities of course.
Don't make somebody you don;t trust a domain admin, they could cause massive damage unintentionally (or intentionally!).