Re: How to make regular user a default admin for Computers underhisOU ?
- From: DavidC <msntp@xxxxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 15:52:46 -0500
Thanks Mr. Weber,
I redid the OU and groups from scratch and applied the "restriced groups" policy. It works now.
I found out too that besides the default permissions given to this group on the delegation of the OU, I still had to give Create/Delete "all child objects" permission on this OU to that group so that they could manually create a computer entry in the ADUC window (right click, New->Computer). And once they create and join their computers, they can do all the admin tasks fine.
Thanks for the help.
David
Meinolf Weber wrote:
Hello DavidC,.
Seems that some more policies are set for the used group. For changing the workstation name, for example, you must have domain admin rights or the group has to get delegated the right to change a workstation name, because it is a domain member. Ofcourse you can change from domain to workgroup and rename then the workstation, but then you have to rejoin to the domain, which is not aible for local admins by default.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Well, I thought this was all I needed to do so that this regular user
group could have admin permissions on their machines. But I'm still
missing something because the system still doesn't let that group do
Admin tasks (change name of machine, enable/disable remote desktop,
etc, login remotely, etc).
In the group policy on the system (on the client: open mmc, add Group
Pol snap in and look at members of the Administrator group) I can see
this group being a member of the Administrators group. But yet, when I
login as one of them I cannot do any Admin related tasks.
What else do I need to do besides adding this group to the "Restricted
Groups" in the policy for this Org. Unit ? I need all their computers
to allow this group default Admin access.
David
DavidC wrote:
Mr. Weber,
Thanks a lot. That site explains it so clearly. It was very helpful.
Thanks!
David
Meinolf Weber wrote:
Hello DavidC,
Use the Restricted Groups with GPO.
http://www.frickelsoft.net/blog/?p=13
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello,
On Win2003 Server I created an Organizational Unit TEAMOU and I
delegated control of it to the TEAMOU_Admins group. Under that OU I
added a Computers OU for them to add their computers. That all
works fine, but I also want them to be the default Admins of those
computers in that TEAMOU\Computers folder so that they can login
remotely and locally. I don't want to add this group to my default
Domain_Admins group. How else can I give them this ability ?
I've tried putting a GroupPolicy on TEAMOU to set the groups
allowed to login locally, through the network and through terminal
services (Administrators, Remote Deskop Users,
Mydomain\TEAMOU_Admins). But as soon as they try to login through
terminal services to their machines, they get an error about the
local policy not allowing them to login interactively.
Any hints?
Thanks
David
- References:
- Prev by Date: DSMOD to modify properties for TS
- Next by Date: Re: authentication with password hash only (.net)
- Previous by thread: Re: How to make regular user a default admin for Computers underhisOU ?
- Next by thread: Re: How to make regular user a default admin for Computers under his OU ?
- Index(es):
Relevant Pages
|
Loading
