• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 719
  • Last Modified:

Allow user to manage PC's but not domain in AD

I need to allow a user to install software and generally manage computers in our Windows Sever 2008 AD, but we don't want to give them full rights to the AD.

Is there a way I can grant him rights to all machines without having to manually add them to each computers administrators group or the domain admins group?

2 Solutions
helpfinderIT ConsultantCommented:
you should be able to make him local admin on each PC using GPO

you can check e.g. this guide about that procedure
Mike KlineCommented:
You can use restricted groups via group policy and give them admin rights on just the PCs.

Florian has a great writeup here  http://www.frickelsoft.net/blog/?p=13

Notice the two boxes, you will want the lower box "this group is a member of" so that it appends the group to your current computers.

Create a group called "help desk admins" (or whatever you pick).  Put this persons account in that group and use a GPO to add that group to local admins.   If your computers are in an OU you can link the GPO there.


Sarang TinguriaSr EngineerCommented:
agree with above
willp2Author Commented:
Worked like a champ. Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now