Solved

Setting up a domain user to have local admin rights on domain pc's

Posted on 2014-01-23
9
8,198 Views
Last Modified: 2014-01-27
Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.

I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?

Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?

Please let me know as soon as possible.

Thank-you in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
9 Comments
 
LVL 13

Accepted Solution

by:
Andy M earned 400 total points
ID: 39803824
You can do this through a group policy to add the account for that user to the administrators group - then apply this only to the computers required (otherwise they will get admin access to the servers and everything else).

This should help:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39803843
I would suggest you make a "Workstation Administrators" group in the domain and add THAT to every workstation.  Then you can add/remove members of that group at will.

Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.
0
 

Author Comment

by:ellitech
ID: 39804261
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?

Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.

How can we allow him local administrator access to workstations but not to DC's and member servers?

ElliTech
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 3

Assisted Solution

by:Crower
Crower earned 100 total points
ID: 39805943
You can do it trough gpo like the first expert said, but the key us that this gpo only aplies to the workstations. You can do this with the   the scope of the gpo. Also you can do it if you have one OU when you have workstations only. This way, you can create the gpo and link with this gpo. Then, in tihs ou all warkstations the group Administartors have one user within but the other machines in rest of OU no
0
 
LVL 13

Assisted Solution

by:Andy M
Andy M earned 400 total points
ID: 39806472
Hi

As noted in my original response ("then apply this only to the computers required (otherwise they will get admin access to the servers and everything else)") and also noted by Crower you need to apply the GPO to just the computers you want this person to have access to. If you apply it at a domain level if it will apply to servers as well.

If the workstations are put into a separate OU in Active Directory link the GPO to JUST that OU so it only applies to computers within there.
0
 

Author Comment

by:ellitech
ID: 39806749
I will look into this more deeply, strange how it allows remote access to servers.

ElliTech
0
 

Author Comment

by:ellitech
ID: 39806753
I would not think that it would allow remote access to DCs...

ElliTech
0
 

Author Closing Comment

by:ellitech
ID: 39807228
Thanks for your help

ElliTech
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39811869
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question