Re: Needing advice for administrative rights....

From: Cheryl (Cheryl_at_discussions.microsoft.com)
Date: 03/07/05 

Date: Mon, 7 Mar 2005 04:09:05 -0800

When i tried this out and i tried to add the local administrator group i only
get the option to add a domain group and not a local group. I cannot switch
from domain to local computer...

Any ideas...

Cheryl

"gordonah" wrote:

> Cheryl
>
> expanding on what Joe said, you can manage the membership list of the local
> Administrator group on PCs using the Restricted Groups functionality. You'll
> find this under Computer settings -> Windows Settings -> Security settings ->
> Restricted groups. Right-click to Add a group (selecting Administrators from
> your local PCs will translate in to the Administrator group on any started
> PC). You can then select the users you wish to be populated in this group (by
> double-clicking and selecting Add).
> The big caveat with the use of this is the settings are not additive with
> either the local settings or previously applied GPO, therefore the last GPO
> to run sets the membership list in it's entirety, removing any accounts or
> groups not explicitly mentioned. Therefore at the least you would in this
> case want to ensure that the Domain Admins group is added as a member as well
> as any further groups, such as PCAdmins.
>
> Gordon
>
> "Cheryl" wrote:
>
> > Hi,
> >
> > I understand how to create the groups, thanks for clarifying how to appliy
> > it to all computers with a group ploicy.
> >
> > Once i have that group applied to all of my PC's how do i make that group a
> > local admin of that machine without having to log onto every machine?
> >
> > I have looked through the group policy settings but i cannot find anything
> > specific.
> >
> > Many thanks for your help...
> >
> > Cheryl
> >
> > "Joe Richards [MVP]" wrote:
> >
> > > You should create a group in your domain called something like PCAdmins. Then
> > > add that group to every PC you have. Then you add the PCAdmin users to the
> > > PCAdmin group. It takes a little bit to set up but once configured, you only
> > > have to do a little maintanence. You can add the group to all PCs with a group
> > > policy on the OU that the PCs live in. Basically looked at restricted groups.
> > >
> > > As for AD, it is full set to be delegated in whatever manner you want. I
> > > recommend web surfing for search strings such as "active directory delegation"
> > > and such. Also it wouldn't hurt you to pick up some book and read them like the
> > > O'Reilly Active Directory book (Cat Book).
> > >
> > > joe
> > >
> > >
> > > --
> > > Joe Richards Microsoft MVP Windows Server Directory Services
> > > www.joeware.net
> > >
> > >
> > > Cheryl wrote:
> > > > We currently have a situation all technicians are domain administrators. We
> > > > have a number of trainees that we would like to be able to just install
> > > > software and view parts of active directory.
> > > >
> > > > The viewing part is easy but the trainee cannot install software on a PC if
> > > > they are not domain administrators. Is there any way around this? I know i
> > > > can assign the trainee local administrator rights on the client PC's but we
> > > > have many PCs and many trainees so it is not a practicle solution.
> > > >
> > > > From my experience domain administrators seem to be able to administer
> > > > active directory without any restrictions. Is this right? Could i remove this
> > > > some how and assign individual people, without assigning the domain
> > > > administrators group. Then i could assign the trainees domain admins so they
> > > > can install their software on the PC's on the network.
> > > >
> > > > I hope this makes sense to who ever is reading it.
> > > >
> > > > Does anyone have a solution?
> > > >
> > > > Cheryl
> > > >
> > > > Auto Response doesnt always work, email: chezp200@hotmail.com
> > >

Relevant Pages

  • Re: Built In Admin account vs Created one
    ... Keep in mind that a user who is in the administrator group may ... have the power to change those settings - if they know what they are. ... want to try is to reset a machines security settings back to default or start with at ... I don't know what could be causing it, but when something unusual is going on always ...
    (microsoft.public.win2000.security)
  • Re: IIS prompt for domain userid after server is hardened
    ... I am wondering if I revert back the security settings, ... I have an issue where the IIS website prompt for domain userid logon ... IUSR_computername to the administrator group resolve the issue ...
    (microsoft.public.inetserver.iis.security)
  • Scanner and Camera Wizard (limited user/account problem)
    ... "Enable Autoplay for removable drives". ... settings with TweakUI and later delete user from administrator group. ...
    (microsoft.public.windowsxp.general)
  • Loss of Profile When Changing From Administrator to Power User Gro
    ... How do I get the administrator group removed from a user's account without ... The security settings for this user's folder give full ...
    (microsoft.public.windowsxp.security_admin)
  • Add a global group to all Domain clients
    ... added to their Administrator group without manually managing and adding on ... Administrators group on the local machine. ... way as the Domain Admins group is added automatically. ...
    (microsoft.public.windows.server.active_directory)