Give local admin rights to user on domain computers

My company is currently using a server with Windows Server 2008 SBS. I have always been the person that has managed IT for the entire company. Due to growth, we are adding a part time tech to help with smaller issues. I need him to have local admin rights on most of the domain connected computers. He is not going to have access to managements computers or the servers though. What is the best way to accomplish this?
Robcarter10Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dariusz TykaICT Infrastructure Specialist Senior Commented:
I would use restricted groups for that or group policy preferences. Using both methods you can add his account (or even better a group he is member of) to local administrators group on domain computers.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Use the SBS console to assign the user to the computers.
https://technet.microsoft.com/en-us/library/cc527565%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

Or restricted groups if you're planning on getting rid of the SBS server (which you should probably). :)
0
AlanConsultantCommented:
I agree with using Restricted Groups for this (should work on SBS too - not sure why it wouldn't Jeremy?)

I would create a Security Group, probably for now with only the new IT Tech in it, then deploy that group to all machines that you want them to have full admin access to using a Restricted Group GPO, and put the group in the local machine's Administrators group.

To make it easy to manage, I would have a separate OU for the user machines that they can access (probably a new sub-OU under the existing one) and put the user machines that they are allowed to manage in that new OU, then target the GPO to machines in that OU.


Alan.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I agree with using Restricted Groups for this (should work on SBS too - not sure why it wouldn't Jeremy?)
Oh it definitely would but with SBS you can assign the user as an admin to all the computers in just a few clicks.

Also, since it's SBS, I wouldn't mess with the OU structure unless you don't want to use the SBS console. There are some things you can do with it but generally, you should just use the SBS console to administer an SBS server.
0
AlanConsultantCommented:
Hi Jeremy,

I see - totally agree about using the console / wizards with SBS.

Thanks,

Alan.
0
Shaun VermaakTechnical Specialist IVCommented:
Have a look at this article on how to create global admin groups
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
0
Robcarter10Author Commented:
Sorry for the delayed response. I was out sick from work the rest of last week after posting this. Dariusz, I have tried your solution and I got it to work one time. I am not that familiar with group policy since I have always used an SBS Server and most policies are preconfigured. Anyway, I setup a group for workstation admins and I am having trouble getting it to apply to the workstation. I was trying to use the scope to only get this policy to apply to certain computers and I did get the workstation admin group to appear in the builtin administrators group one time. In the process of trying to figure out how I did it, it disappeared again and I unable to get it to work again. I am guessing that the scope has something to do with it. Any advice?
0
AlanConsultantCommented:
Hi Rob,

Have you put the machines that you want the new tech to be able to administer into a new sub-OU, probably under SBSComputers?

If you already did that, then target the new GPO to that OU only.

Does that work?

Thanks,

Alan.
0
Robcarter10Author Commented:
That worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.