Solved

Setting up a domain user to have local admin rights on domain pc's

Posted on 2014-01-23
9
8,115 Views
Last Modified: 2014-01-27
Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.

I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?

Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?

Please let me know as soon as possible.

Thank-you in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
9 Comments
 
LVL 13

Accepted Solution

by:
Andy M earned 400 total points
ID: 39803824
You can do this through a group policy to add the account for that user to the administrators group - then apply this only to the computers required (otherwise they will get admin access to the servers and everything else).

This should help:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39803843
I would suggest you make a "Workstation Administrators" group in the domain and add THAT to every workstation.  Then you can add/remove members of that group at will.

Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.
0
 

Author Comment

by:ellitech
ID: 39804261
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?

Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.

How can we allow him local administrator access to workstations but not to DC's and member servers?

ElliTech
0
 
LVL 3

Assisted Solution

by:Crower
Crower earned 100 total points
ID: 39805943
You can do it trough gpo like the first expert said, but the key us that this gpo only aplies to the workstations. You can do this with the   the scope of the gpo. Also you can do it if you have one OU when you have workstations only. This way, you can create the gpo and link with this gpo. Then, in tihs ou all warkstations the group Administartors have one user within but the other machines in rest of OU no
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 13

Assisted Solution

by:Andy M
Andy M earned 400 total points
ID: 39806472
Hi

As noted in my original response ("then apply this only to the computers required (otherwise they will get admin access to the servers and everything else)") and also noted by Crower you need to apply the GPO to just the computers you want this person to have access to. If you apply it at a domain level if it will apply to servers as well.

If the workstations are put into a separate OU in Active Directory link the GPO to JUST that OU so it only applies to computers within there.
0
 

Author Comment

by:ellitech
ID: 39806749
I will look into this more deeply, strange how it allows remote access to servers.

ElliTech
0
 

Author Comment

by:ellitech
ID: 39806753
I would not think that it would allow remote access to DCs...

ElliTech
0
 

Author Closing Comment

by:ellitech
ID: 39807228
Thanks for your help

ElliTech
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39811869
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now