Re: Enable non-admin users to access member servers or client PC

1) If you want your help desk folks to be able to make modifications on
the client machines they probably will require to be local admins (Not
domain admins). You could place the help desk group in the Restricted Group
of gpo to automatically place them in the local administers group of all
workstations.

5) In order for a group to manage a print queue they have to have the
Manage Printer permission. You will have to grant that. Would suggest you
place a domain group in all printers that grants this specific access (Same
one as in step 1).

6) In order to modify server folder permissions the group needs to be
granted Full Access to the Folder and allow inheritance to follow down the
tree. Would again suggest you place a domain group as previously stated.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Kent" <Kent@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C2B60286-8BC1-4A3D-95E9-09ED2D5142FC@xxxxxxxxxxxxxxxx
Hello,
I would like to restructure my AD user permission.
Non-Admin users like helpdesk will be performing:
1. Troubleshoot on client machine
2. Health check on member servers
3. Reset user password
4. Add/Delete/Modify user account info
5. Manage print queue
6. Modify file servers folder permission

What i've done thus far:
1. Add helpdesk users to Remote Desktop Users group
2. Enable Restricted Groups for Remote Desktop Users group
3. Enable delegation to perform Modification to users account info/reset
user password

The thing that i did can solve item 2, 3 & 4
Item 1, 5 & 6 are not successful because Helpdesk does not belongs to
Admin
groups like Domain Admins, Administrators, etc.

Any advice on how to do this correctly?
Thanks in advance.



.

Relevant Pages

  • Re: Domain Admin?
    ... If you want them to be local admins so they can perform maintenance than you should consider using restricted groups: ... Create the gpo in the ou where the Computers reside, go to computer configuration/windows settings/security settings/restricted groups, right click on restricted groups and select new group and key in the group you want auto populated. ... We have some users who are local admins on machines and for some reason they feel compelled to remove the domain admins from their local administrators group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: users removing Domain Admin from local admin group
    ... You can't set the machine up so local admins can't modify the local ... administrators group. ... If the corporate policy is that domain admins are to be listed in the ...
    (microsoft.public.win2000.security)
  • Re: local admin issues
    ... Restricted groups via GPO is the best way to control the local admins. ... Is there a way to prevent domain admins to be removed from the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Ensuring Domain Admins is always in the Local Admins group
    ... This behaviour modification to the Security Option Restricted Groups ... > Is there a way to use a group policy to ensure that the Domain Admins ... > is always in the Local Admins group of every computer in a domain? ...
    (microsoft.public.win2000.security)
  • Re: Security permissions bug or inheritant permissions??
    ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
    (microsoft.public.win2000.active_directory)