Avatar of Damo_IBG
Damo_IBG
 asked on

Local Administrator users in 2008 Active Directory?

Hi Folks,

Sorry if this is a dumb question - I don't have any MCSE type folks at my current job to ask for guidance :(

So historically we've had one SBS2008 server in our main office (Australia), and standalone non-domain PC's in our other offices (NZ, UK, Ireland, India).  I'm trying to get our AD domain into the other offices, and have pushed out 2K8R2 domain controllers, joined the workstations to the domain, and it's working quite nicely.  Well, once I sorted out the replication schedules - SBS doesn't play nice ;)  We'll remove it eventually, but we have a few other things to do before we can retire the old machine..

Now I'm at the stage where each office has a bunch of PC's who are dedicated to one task - i.e. Sage Act! Server, Egrabber (Email->Act lead integration), etc - which I want to migrate to 2K8R2 Virtual machines, with their own 'service user' login.

What I want for this, is an account for each 'role', which has Local Administrator privileges on the appropriate VM in each country.  I've seen the suggestions to use the Restricted Groups GPO - but I can't seem to simply link that to a specific machine..?

i.e. I want ROLEUSER_IE_ACT to be a local admin on IESERV_ACT machine. and ROLEUSER_IE_EGRAB to be a local admin on IESERV_EGRAB machine.  ALL up I have probably 15 role accounts to be assigned to individual machines..  So the question is - is there a nice clean way to do that?

Thanks,

DG
Windows Server 2008Active Directory

Avatar of undefined
Last Comment
Damo_IBG

8/22/2022 - Mon
wullieb1

Restricted groups is an option but you wold need to create multiple OU's dedicated for each machine.

Is there a reason why you couldn't have all the service accounts have the same permissions on each server??
Damo_IBG

ASKER
Ahhh, OU's is the secret - I was expecting it'd be like adding drive mappings for shares per user/group/computer in a GPO - you just set the criteria.. That'd be what I was missing!

I'd rather not have all the accounts have access on all the servers, as that would mean that someone who had the login details for one administrator account, could login to any other server as administrator as well?  The problem is that some VM's will have normal staff logging in to check the status of a program a few times a day - and i don't want those staff able to authenticate against any other servers as those users, if they decide they want to 'play'..   In some other cases (especially the ACT servers), external contractors will occasionally login to the server in their country to apply updates, etc.

Back on windows 2000, I'd have simply given each user Local Administrator rights on that server - but 2008 Server doesn't seem to have that option :(
ASKER CERTIFIED SOLUTION
wullieb1

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Damo_IBG

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Damo_IBG

ASKER
For now we'll go the simpler way of assigning a domain user as Local Administrator on the target server, rather than using OU's.  OU's would be better in a larger environment though.
Your help has saved me hundreds of hours of internet surfing.
fblack61