Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Tue, 14 Nov 2006 07:51:33 -0600
Just use a standard domain user and create a new domain group that is placed
into the local administrators group on the workstation. If you use
restricted groups you can then modify the group membership to get users into
and out of the local admin groups with minimal effort.
The gpo settings are at:
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.
To provide users the ability to add workstations Delegate the right to a
group (The same group as in the restricted group used above?).
Create a new security group and provide it the ability to only join
computers to the domain via the "Delegation of Control" wizard. Then join
the user account to this new group.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"J.H" <jpthsd@xxxxxxxxxxx> wrote in message
news:OWtAcS1BHHA.4740@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Previously, we removed the right to add workstation to Windows 2000
domain.
However, now we are trying to expand our IT dept, so hiring more IT Help
Desk Support,
We'd like to allow IT Help Desk Support technician to: (without giving the
account
domain_admin right)
a. login onto the workstation with administrator privilege (domain logon)
b. having ability to add any workstation onto the Windows 2000 domain
Any one can suggest the hint, please let us know, we appreciate your help
Regards,
JPTH
.
- Follow-Ups:
- References:
- Prev by Date: Re: w32time service on windows 2003 PDC
- Next by Date: newbie questions
- Previous by thread: Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- Next by thread: Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- Index(es):
Relevant Pages
|
