asked on
Local Administrator users in 2008 Active Directory?
Hi Folks,
Sorry if this is a dumb question - I don't have any MCSE type folks at my current job to ask for guidance :(
So historically we've had one SBS2008 server in our main office (Australia), and standalone non-domain PC's in our other offices (NZ, UK, Ireland, India). I'm trying to get our AD domain into the other offices, and have pushed out 2K8R2 domain controllers, joined the workstations to the domain, and it's working quite nicely. Well, once I sorted out the replication schedules - SBS doesn't play nice ;) We'll remove it eventually, but we have a few other things to do before we can retire the old machine..
Now I'm at the stage where each office has a bunch of PC's who are dedicated to one task - i.e. Sage Act! Server, Egrabber (Email->Act lead integration), etc - which I want to migrate to 2K8R2 Virtual machines, with their own 'service user' login.
What I want for this, is an account for each 'role', which has Local Administrator privileges on the appropriate VM in each country. I've seen the suggestions to use the Restricted Groups GPO - but I can't seem to simply link that to a specific machine..?
i.e. I want ROLEUSER_IE_ACT to be a local admin on IESERV_ACT machine. and ROLEUSER_IE_EGRAB to be a local admin on IESERV_EGRAB machine. ALL up I have probably 15 role accounts to be assigned to individual machines.. So the question is - is there a nice clean way to do that?
Thanks,
DG
Sorry if this is a dumb question - I don't have any MCSE type folks at my current job to ask for guidance :(
So historically we've had one SBS2008 server in our main office (Australia), and standalone non-domain PC's in our other offices (NZ, UK, Ireland, India). I'm trying to get our AD domain into the other offices, and have pushed out 2K8R2 domain controllers, joined the workstations to the domain, and it's working quite nicely. Well, once I sorted out the replication schedules - SBS doesn't play nice ;) We'll remove it eventually, but we have a few other things to do before we can retire the old machine..
Now I'm at the stage where each office has a bunch of PC's who are dedicated to one task - i.e. Sage Act! Server, Egrabber (Email->Act lead integration), etc - which I want to migrate to 2K8R2 Virtual machines, with their own 'service user' login.
What I want for this, is an account for each 'role', which has Local Administrator privileges on the appropriate VM in each country. I've seen the suggestions to use the Restricted Groups GPO - but I can't seem to simply link that to a specific machine..?
i.e. I want ROLEUSER_IE_ACT to be a local admin on IESERV_ACT machine. and ROLEUSER_IE_EGRAB to be a local admin on IESERV_EGRAB machine. ALL up I have probably 15 role accounts to be assigned to individual machines.. So the question is - is there a nice clean way to do that?
Thanks,
DG
Windows Server 2008Active Directory
Last Comment
Damo_IBG
ASKER
Ahhh, OU's is the secret - I was expecting it'd be like adding drive mappings for shares per user/group/computer in a GPO - you just set the criteria.. That'd be what I was missing!
I'd rather not have all the accounts have access on all the servers, as that would mean that someone who had the login details for one administrator account, could login to any other server as administrator as well? The problem is that some VM's will have normal staff logging in to check the status of a program a few times a day - and i don't want those staff able to authenticate against any other servers as those users, if they decide they want to 'play'.. In some other cases (especially the ACT servers), external contractors will occasionally login to the server in their country to apply updates, etc.
Back on windows 2000, I'd have simply given each user Local Administrator rights on that server - but 2008 Server doesn't seem to have that option :(
I'd rather not have all the accounts have access on all the servers, as that would mean that someone who had the login details for one administrator account, could login to any other server as administrator as well? The problem is that some VM's will have normal staff logging in to check the status of a program a few times a day - and i don't want those staff able to authenticate against any other servers as those users, if they decide they want to 'play'.. In some other cases (especially the ACT servers), external contractors will occasionally login to the server in their country to apply updates, etc.
Back on windows 2000, I'd have simply given each user Local Administrator rights on that server - but 2008 Server doesn't seem to have that option :(
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
For now we'll go the simpler way of assigning a domain user as Local Administrator on the target server, rather than using OU's. OU's would be better in a larger environment though.
Is there a reason why you couldn't have all the service accounts have the same permissions on each server??