Admin user accounts

Posted on 2013-09-29
Medium Priority
Last Modified: 2013-12-27
We have contractors installing PC's onsite and I want to them an admin account which will allow them to add pc's to our domain and local admin rights over those PC's for software installation. I don't however want that account to be able to login locally to any server.

Can I just create a domain admin account and deny local login on each server or is there a better route?

Thanks for you help.
Question by:wifiit
LVL 24

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 668 total points
ID: 39530895

You can GPO's to achieve this. Refer the link for step by step http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

Hope this helps
LVL 25

Accepted Solution

Mohammed Khawaja earned 668 total points
ID: 39531042
This is how you do it:

1.  Create accounts for contractors to be domain users members only
2.  Create OUs where these contractors will be creating PCs
3.  Delegate rights and grant these contractors ability to add computers to the domain
4.  Install AD Management tools for contractors
5.  Create GPO to add contractor accounts to local administrator group (this could be as simple as a computer policy to run a script containing:   net localgroup administrators domain\user-or-group /add
6.  Advise contractors to create computer account in the required OU prior first prior to joining computer to domain (by default non-domain admins can only add 5 or 10 computers to the domain unless they create the computer account first)
7.  Contractors join computers to domain and they have local admin privileges on computers

Expert Comment

ID: 39532610
What are you doing in your environment and if you do deny local admin rights, how do you handle when you or the user has to install software? Must you logout and back in as the local admin

Just use the 'Run As" option, no need to log out and back in with an admin account

as for the other headaches . Proper patch management should take care of that. If fact I think giving them admin right creates more headaches, there is so much crap they could do I you will have no idea wear to start

Refer this link...


LVL 24

Assisted Solution

Sandeshdubey earned 664 total points
ID: 39538075
I will recommend to process as this create normal heldesk user account in AD and add the same to local admin account of client computers.You can perfrom the same with restricted GPO.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13

To add the machine to domain delegate the control to add the machine to domain in AD to helpdesk id.http://social.technet.microsoft.com/Forums/windowsserver/en-US/ced04bc6-705e-40f9-b6fb-64e13c1ca01c/account-to-add-a-machine-in-domain-in-windows2008r2

ensure that servers are in seperate OU and restricted GPO is not applied on server OU.So by default helpdesk user will not have acess to server.You can specifically deny logon to servers by adding the helpdesk id to deny logon locally and deny logon to terminal services.http://technet.microsoft.com/en-us/library/cc957048.aspx http://technet.microsoft.com/en-us/library/cc737453(v=ws.10).aspx

Hope this helps.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question