Solved

Setting up a domain user to have local admin rights on domain pc's

Posted on 2014-01-23
9
7,984 Views
Last Modified: 2014-01-27
Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.

I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?

Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?

Please let me know as soon as possible.

Thank-you in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
9 Comments
 
LVL 13

Accepted Solution

by:
Andy M earned 400 total points
ID: 39803824
You can do this through a group policy to add the account for that user to the administrators group - then apply this only to the computers required (otherwise they will get admin access to the servers and everything else).

This should help:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39803843
I would suggest you make a "Workstation Administrators" group in the domain and add THAT to every workstation.  Then you can add/remove members of that group at will.

Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.
0
 

Author Comment

by:ellitech
ID: 39804261
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?

Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.

How can we allow him local administrator access to workstations but not to DC's and member servers?

ElliTech
0
 
LVL 3

Assisted Solution

by:Crower
Crower earned 100 total points
ID: 39805943
You can do it trough gpo like the first expert said, but the key us that this gpo only aplies to the workstations. You can do this with the   the scope of the gpo. Also you can do it if you have one OU when you have workstations only. This way, you can create the gpo and link with this gpo. Then, in tihs ou all warkstations the group Administartors have one user within but the other machines in rest of OU no
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 13

Assisted Solution

by:Andy M
Andy M earned 400 total points
ID: 39806472
Hi

As noted in my original response ("then apply this only to the computers required (otherwise they will get admin access to the servers and everything else)") and also noted by Crower you need to apply the GPO to just the computers you want this person to have access to. If you apply it at a domain level if it will apply to servers as well.

If the workstations are put into a separate OU in Active Directory link the GPO to JUST that OU so it only applies to computers within there.
0
 

Author Comment

by:ellitech
ID: 39806749
I will look into this more deeply, strange how it allows remote access to servers.

ElliTech
0
 

Author Comment

by:ellitech
ID: 39806753
I would not think that it would allow remote access to DCs...

ElliTech
0
 

Author Closing Comment

by:ellitech
ID: 39807228
Thanks for your help

ElliTech
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39811869
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows Server DNS Recursion and Forwarders 12 69
shadow copies 7 17
Folder size tool 6 63
GPO Delegation 4 16
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now