Re: Needing advice for administrative rights....

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 03/19/05 

Date: Sat, 19 Mar 2005 02:52:30 -0500

This isn't entirely correct, that was how it worked initially but MS has done
quite a bit of work around this. Please check the KBs, you want to use the
memberof functionality of restricted groups.

   joe 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
gordonah wrote:
> Cheryl
> 
> expanding on what Joe said, you can manage the membership list of the local 
> Administrator group on PCs using the Restricted Groups functionality. You'll 
> find this under Computer settings -> Windows Settings -> Security settings -> 
> Restricted groups. Right-click to Add a group (selecting Administrators from 
> your local PCs will translate in to the Administrator group on any started 
> PC). You can then select the users you wish to be populated in this group (by 
> double-clicking and selecting Add).
> The big caveat with the use of this is the settings are not additive with 
> either the local settings or previously applied GPO, therefore the last GPO 
> to run sets the membership list in it's entirety, removing any accounts or 
> groups not explicitly mentioned. Therefore at the least you would in this 
> case want to ensure that the Domain Admins group is added as a member as well 
> as any further groups, such as PCAdmins.
> 
> Gordon
> 
> "Cheryl" wrote:
> 
> 
>>Hi,
>>
>>I understand how to create the groups, thanks for clarifying how to appliy 
>>it to all computers with a group ploicy.
>>
>>Once i have that group applied to all of my PC's how do i make that group a 
>>local admin of that machine without having to log onto every machine?
>>
>>I have looked through the group policy settings but i cannot find anything 
>>specific.
>>
>>Many thanks for your help...
>>
>>Cheryl
>>
>>"Joe Richards [MVP]" wrote:
>>
>>
>>>You should create a group in your domain called something like PCAdmins. Then 
>>>add that group to every PC you have. Then you add the PCAdmin users to the 
>>>PCAdmin group. It takes a little bit to set up but once configured, you only 
>>>have to do a little maintanence. You can add the group to all PCs with a group 
>>>policy on the OU that the PCs live in. Basically looked at restricted groups.
>>>
>>>As for AD, it is full set to be delegated in whatever manner you want. I 
>>>recommend web surfing for search strings such as "active directory delegation" 
>>>and such. Also it wouldn't hurt you to pick up some book and read them like the 
>>>O'Reilly Active Directory book (Cat Book).
>>>
>>>   joe
>>>
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>www.joeware.net
>>>
>>>
>>>Cheryl wrote:
>>>
>>>>We currently have a situation all technicians are domain administrators. We 
>>>>have a number of trainees that we would like to be able to just install 
>>>>software and view parts of active directory. 
>>>>
>>>>The viewing part is easy but the trainee cannot install software on a PC if 
>>>>they are not domain administrators. Is there any way around this? I know i 
>>>>can assign the trainee local administrator rights on the client PC's but we 
>>>>have many PCs and many trainees so it is not a practicle solution.
>>>>
>>>>>From my experience domain administrators seem to be able to administer 
>>>>active directory without any restrictions. Is this right? Could i remove this 
>>>>some how and assign individual people, without assigning the domain 
>>>>administrators group. Then i could assign the trainees domain admins so they 
>>>>can install their software on the PC's on the network.
>>>>
>>>>I hope this makes sense to who ever is reading it.
>>>>
>>>>Does anyone have a solution?
>>>>
>>>>Cheryl
>>>>
>>>>Auto Response doesnt always work, email: chezp200@hotmail.com
>>>

Relevant Pages

  • Re: Cannot print from MS apps after patches installed
    ... Had a similar problem to this with printing producing strange results when ... Administrators did not have the problem. ... > A couple months back after updating all PCs with all the ... > that problem was to uninstall patches until it worked. ...
    (microsoft.public.win2000.windows_update)
  • Re: Use Active Directory to set work station local rights
    ... then anyone can still be made a member of the local Administrators ... > workstation that has the ADMINPAK installed...Otherwise, ... > Microsoft Active Directory MVP ... >> adding the specific user to the local administrators group. ...
    (microsoft.public.win2000.active_directory)
  • Re: Permissions on AD acct not being seen
    ... You can have a view at your administrators settings, ... If you are running Windows XP or Windows Server 2003, ... applied by a group policy from active directory that your administrator has ... > why this user acct that is used to run the software program is not ...
    (microsoft.public.windows.server.active_directory)
  • Re: Use Active Directory to set work station local rights
    ... then you loose the point of restricting which user account objects / ... then anyone can still be made a member of the local Administrators ... > workstation that has the ADMINPAK installed...Otherwise, ... > Microsoft Active Directory MVP ...
    (microsoft.public.win2000.active_directory)
  • Terminal Services Control
    ... my name is manish and i have got a very interesting question. ... customer, who is looking to control system administrators, sms terminal ... these guys are accessing their PCs too and leaking lot of information out. ...
    (microsoft.public.sms.tools)
Quantcast