Re: Domain Rights
From: Tyler (Tyler_at_discussions.microsoft.com)
Date: 02/09/05
- Next message: Sabo, Eric: "Office 2003"
- Previous message: HDZ: "Is this the best solution?"
- In reply to: Burtsev Dmitry: "Re: Domain Rights"
- Next in thread: ptwilliams: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 9 Feb 2005 08:05:04 -0800
If you use restricted groups to add the following users as local admins on
each PC you might run into problems.
Add:
Domain Admins
IT_Techs
By only adding those groups you will loose any other entries in the local
admin group. Such as if you have given each user local admin rights on their
machine those rights will go away.
Another way to do this is to create a GPO with a startup script that adds
your needed accounts/groups to the local admin group. This preserve your
current local admin group settings. This will require a new OU for your
client machines as you cannot apply a GPO to the default computers container.
"Burtsev Dmitry" wrote:
> Hello.
> I think this can help you.
> 1. Create a group for IT Techs and add necessary accounts
> 2. Create an OU for users. Move necessary groups to this OU (don't foget
> Domain Users!)
> Delegate for IT_techs group appopriate permissions (create, delete and
> manage user accounts, reset user passwords, modify the membership of group).
> Delegation of control wizard will help you.
> 3. Create a new OU for computers. Delegate permissions create/delete
> computer objects on this OU for IT Techs group.
> 4. Create Group policy object on computer OU. In this GPO define Restricted
> groups policy. Add IT_Techs to local administrators group. Don't foget
> about domain admins!
> About restricted groups you can read in this articles
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
> http://support.microsoft.com/default.aspx?scid=kb;en-us;810076
>
>
> --
> Dmitry Burtsev [burtsev@removethis.km.ru]
>
>
>
> "Kevin" <Kevin@discussions.microsoft.com> wrote in message
> news:06a401c50eb4$28f93510$a401280a@phx.gbl...
> > I want to be able to take our IT Techs out of the Doamin
> > Admin Group but I need a way for these same user to do
> > Administrative tasks. Our enviroment consist of XP
> > stations and Server 2003 Domain Controller. The IT Techs
> > need to be able to add and remove computers from the
> > domain, reset passwords and if possible have full access
> > to the local XP stations (Loacl Admins on these boxes?)
> > ADMIN share for remote assistance and other administrative
> > functions. Is there a way to do this through Group Policy
> > or creatiing another OU and delegating some of these
> > abilities? Thanks in advance
>
>
>
- Next message: Sabo, Eric: "Office 2003"
- Previous message: HDZ: "Is this the best solution?"
- In reply to: Burtsev Dmitry: "Re: Domain Rights"
- Next in thread: ptwilliams: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
