We help IT Professionals succeed at work.

What AD account for temporarty admin

I have to create an account for a third party to be able to load software on some of our desktops locally, but I do not want them to access the domain controllers.  What group shoud I put them in?  I am running Win2003 Server standard SP2.  
Comment
Watch Question

Top Expert 2013
Commented:
You can use restricted groups to add his account to those desktops (local admin).  Good overview from florian   http://www.frickelsoft.net/blog/?p=13   notice you would want to use the bottom box to add to what you already have on the machines.

When he is gone you can remove the policy or just add a group and add that to the machines and if you ever need this again you can just add the person to the group (something like "workstation admins")

Thanks

Mike
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Put them in the Local Administraotrs Group on the Workstations. (not the Domain Admin groups)

Author

Commented:
hanccocka,

I know that is an option, but I would have to create a local account on dozens of PCs.  That is what I am trying to avoid.
Top Expert 2013

Commented:
No you don't just create an AD account and group.  You add that group using a group policy (restricted groups)
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
You Create a Global AD Group. Add the Global Group to the Workstations Administrator Group.

Add the Account you Create to the Global Group.

Author

Commented:
hanccocka:,

I do not have a Workstation Admin Group.  Can you walk me through this process?  Thanks!
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Create a new Global Group in Active Directory called Worlstation Admin Group?

Do you not know how to create users or groups using Active Directory Users and Computers?

Author

Commented:
hanccocka:

Yes I do know how, but creating a group does not restrict the user.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Correct, so you login to the workstation, and add the Worlstation Admin Group, to the Local Administrators group.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
then when you add a AD user into the Worlstation Admin Group, they can Administer that Workstation ONLY.

Author

Commented:
OK, so I have to visit each workstaion anyway (or manager remoteley).  That is what I am trying to avoid.  
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
This can be done with Group Policy, are you proficient with Group Policies?

Author

Commented:
I have set up many Domains from the ground up with mulitple OUs and GPs. I know how o create OUs and GPs.  Howevre I am having a sort of mental block on this one.  I know how to assign permissions or make users a "Member Of" a group.  But there is no built in Workstation Admin group with the policies I need here.  I have no problem creating the group and adding the user, but how is it restricted?  Through a GP?   If so what setting in the GP need to be set or changed?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Mike in the first post, posted a url how to add tjis using group policy.

Author

Commented:
I did not see this link first time around.  That worked, thank you!