Solved

Setting up a domain user to have local admin rights on domain pc's

Posted on 2014-01-23
9
8,400 Views
Last Modified: 2014-01-27
Hi,
I would like to create an account for a third party individual to allow them to access any domain pc and have local administrator rights only, NOT domain admin rights.

I was thinking that this was done if you made them a member of the xxxxx.local/Builtin Administrators group. Is this correct?

Is there a better way to allow the user 'local administrator' rights on to domain pc's and not domain controllers or even any member servers that we might have?

Please let me know as soon as possible.

Thank-you in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 13

Accepted Solution

by:
Andy M earned 400 total points
ID: 39803824
You can do this through a group policy to add the account for that user to the administrators group - then apply this only to the computers required (otherwise they will get admin access to the servers and everything else).

This should help:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39803843
I would suggest you make a "Workstation Administrators" group in the domain and add THAT to every workstation.  Then you can add/remove members of that group at will.

Still, I wouldn't make that user account the user's primary account - if they get infected by something it could easily spread to EVERY workstation... instead, give them a "user-wadm" account in that group and instruct them to use that account for management purposes.
0
 

Author Comment

by:ellitech
ID: 39804261
Hi "Morty500UK" I followed the instructions on the link, however it granted the user more rights then we want to allow. By adding them to the Remote Desktop Users group, it allowed them to log in remotely to a DC, which is NOT allowed, how can we allow him only access to regular PCs and laptops but not servers?

Secondly, when adding group membership to the Administrators group, it also allowed access to the 'C' drive on a server by typing "\\servername\c$", which is also NOT allowed.

How can we allow him local administrator access to workstations but not to DC's and member servers?

ElliTech
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 3

Assisted Solution

by:Crower
Crower earned 100 total points
ID: 39805943
You can do it trough gpo like the first expert said, but the key us that this gpo only aplies to the workstations. You can do this with the   the scope of the gpo. Also you can do it if you have one OU when you have workstations only. This way, you can create the gpo and link with this gpo. Then, in tihs ou all warkstations the group Administartors have one user within but the other machines in rest of OU no
0
 
LVL 13

Assisted Solution

by:Andy M
Andy M earned 400 total points
ID: 39806472
Hi

As noted in my original response ("then apply this only to the computers required (otherwise they will get admin access to the servers and everything else)") and also noted by Crower you need to apply the GPO to just the computers you want this person to have access to. If you apply it at a domain level if it will apply to servers as well.

If the workstations are put into a separate OU in Active Directory link the GPO to JUST that OU so it only applies to computers within there.
0
 

Author Comment

by:ellitech
ID: 39806749
I will look into this more deeply, strange how it allows remote access to servers.

ElliTech
0
 

Author Comment

by:ellitech
ID: 39806753
I would not think that it would allow remote access to DCs...

ElliTech
0
 

Author Closing Comment

by:ellitech
ID: 39807228
Thanks for your help

ElliTech
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39811869
If the Administrators group has remote access to the server (i.e. is a member of the Remote Desktop Operators/Users group) adding the user as an Administrator of the server through the GPO/Manually would allow them this access.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question