ellitech
asked on
Setting up a domain user to have local admin rights on domain pc's
Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.
I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?
Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?
Please let me know as soon as possible.
Thank-you in advance for taking the time to respond back, it is greatly appreciated.
ElliTech
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.
I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?
Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?
Please let me know as soon as possible.
Thank-you in advance for taking the time to respond back, it is greatly appreciated.
ElliTech
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?
Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.
How can we allow him local administrator access to workstations but not to DC's and member servers?
ElliTech
Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.
How can we allow him local administrator access to workstations but not to DC's and member servers?
ElliTech
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will look into this more deeply, strange how it allows remote access to servers.
ElliTech
ElliTech
ASKER
I would not think that it would allow remote access to DCs...
ElliTech
ElliTech
ASKER
Thanks for your help
ElliTech
ElliTech
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.