Give local admin rights to user on domain computers
My company is currently using a server with Windows Server 2008 SBS. I have always been the person that has managed IT for the entire company. Due to growth, we are adding a part time tech to help with smaller issues. I need him to have local admin rights on most of the domain connected computers. He is not going to have access to managements computers or the servers though. What is the best way to accomplish this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with using Restricted Groups for this (should work on SBS too - not sure why it wouldn't Jeremy?)
I would create a Security Group, probably for now with only the new IT Tech in it, then deploy that group to all machines that you want them to have full admin access to using a Restricted Group GPO, and put the group in the local machine's Administrators group.
To make it easy to manage, I would have a separate OU for the user machines that they can access (probably a new sub-OU under the existing one) and put the user machines that they are allowed to manage in that new OU, then target the GPO to machines in that OU.
Alan.
I would create a Security Group, probably for now with only the new IT Tech in it, then deploy that group to all machines that you want them to have full admin access to using a Restricted Group GPO, and put the group in the local machine's Administrators group.
To make it easy to manage, I would have a separate OU for the user machines that they can access (probably a new sub-OU under the existing one) and put the user machines that they are allowed to manage in that new OU, then target the GPO to machines in that OU.
Alan.
I agree with using Restricted Groups for this (should work on SBS too - not sure why it wouldn't Jeremy?)Oh it definitely would but with SBS you can assign the user as an admin to all the computers in just a few clicks.
Also, since it's SBS, I wouldn't mess with the OU structure unless you don't want to use the SBS console. There are some things you can do with it but generally, you should just use the SBS console to administer an SBS server.
Hi Jeremy,
I see - totally agree about using the console / wizards with SBS.
Thanks,
Alan.
I see - totally agree about using the console / wizards with SBS.
Thanks,
Alan.
Have a look at this article on how to create global admin groups
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
ASKER
Sorry for the delayed response. I was out sick from work the rest of last week after posting this. Dariusz, I have tried your solution and I got it to work one time. I am not that familiar with group policy since I have always used an SBS Server and most policies are preconfigured. Anyway, I setup a group for workstation admins and I am having trouble getting it to apply to the workstation. I was trying to use the scope to only get this policy to apply to certain computers and I did get the workstation admin group to appear in the builtin administrators group one time. In the process of trying to figure out how I did it, it disappeared again and I unable to get it to work again. I am guessing that the scope has something to do with it. Any advice?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked
https://technet.microsoft.com/en-us/library/cc527565%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
Or restricted groups if you're planning on getting rid of the SBS server (which you should probably). :)