Assing a user account Add/Disable accounts and Local PC Admin

Please note: ADDS is Windows 2008 R2 SP1

1) Need to make a group of users have Local Admin rights on any PC they log into - Details Please

2) Need to give a user account the ability to create and disable accounts in ADDS from his/her desktop ...How? (and what do I need to install on the desktop)

Thanks Experts :)
LVL 14
BigBadWolf_000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SuperTacoCommented:
Question 2 is easy.  Install RSAT (Remote Server Administration Tools) on their desktop and make then account operators within the domain.  

for question one restricted groups is your answer.  here's a quick explanation and some links that ca explain it better than I can.


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
Just a follow up to the restricted groups links, I really like Florian's blog

http://www.frickelsoft.net/blog/?p=13

Notice you will want to use the bottom box "this group is a member of" so that it only appends the new group and doesn't wipe out what is there.

Test on a few test machines first so you can get a feel for it.

In addition for question 1 you will have to delegate rights to the user.  You can delegate rights using the delegation control wizard "create, delete, and manage user account".  There is also the account operators group.

Thanks

Mike
0
Brian PiercePhotographerCommented:
If all you want the users to do is manage user accounts then you would have to install the RSAT as has been said, However you probably want to use the delegation of control wizard to give the users the necessary rights - and no more, and you  might want to create a task pad for them to make life a little easier

See http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/
and http://www.youtube.com/watch?v=I7ighWF8Hd0

and http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
SandeshdubeySenior Server EngineerCommented:
1) Need to make a group of users have Local Admin rights on any PC they log into ?
You can achieve the same by resticted group or startup script

Using the restricted group policy you will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.
 
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.
Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

However
If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

2) Need to give a user account the ability to create and disable accounts in ADDS from his/her desktop ...How? (and what do I need to install on the desktop)

You need to delegate rights for the user for the ablity to create,delete account in AD.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

Once delegation is given you can install RSAT tool (Win7)or adminpak(Winxp) depending upon the client OS so that user can manage the activity from users desktop.

RSAT too for win7
http://www.microsoft.com/download/en/details.aspx?id=7887

Adminpak for winxp
http://www.microsoft.com/download/en/details.aspx?id=16770

Hope this helps

0
BigBadWolf_000Author Commented:
Thanks to all.
mkline71: Thanks for pointing out the very important detail of Appending vs Replacing :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.