[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8816
  • Last Modified:

Setting up a domain user to have local admin rights on domain pc's

Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.

I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?

Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?

Please let me know as soon as possible.

Thank-you in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
ellitech
Asked:
ellitech
3 Solutions
 
Andy MIT Systems ManagerCommented:
You can do this through a group policy to add the account for that user to the administrators group - then apply this only to the computers required (otherwise they will get admin access to the servers and everything else).

This should help:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I would suggest you make a "Workstation Administrators" group in the domain and add THAT to every workstation.  Then you can add/remove members of that group at will.

Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.
0
 
ellitechAuthor Commented:
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?

Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.

How can we allow him local administrator access to workstations but not to DC's and member servers?

ElliTech
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
CrowerCommented:
You can do it trough gpo like the first expert said, but the key us that this gpo only aplies to the workstations. You can do this with the   the scope of the gpo. Also you can do it if you have one OU when you have workstations only. This way, you can create the gpo and link with this gpo. Then, in tihs ou all warkstations the group Administartors have one user within but the other machines in rest of OU no
0
 
Andy MIT Systems ManagerCommented:
Hi

As noted in my original response ("then apply this only to the computers required (otherwise they will get admin access to the servers and everything else)") and also noted by Crower you need to apply the GPO to just the computers you want this person to have access to. If you apply it at a domain level if it will apply to servers as well.

If the workstations are put into a separate OU in Active Directory link the GPO to JUST that OU so it only applies to computers within there.
0
 
ellitechAuthor Commented:
I will look into this more deeply, strange how it allows remote access to servers.

ElliTech
0
 
ellitechAuthor Commented:
I would not think that it would allow remote access to DCs...

ElliTech
0
 
ellitechAuthor Commented:
Thanks for your help

ElliTech
0
 
Andy MIT Systems ManagerCommented:
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now