Re: Global Account for Installing Software
- From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxx>
- Date: Fri, 17 Jul 2009 07:28:53 -0500
You could create a sub-ou within the main ou for these machines and use
restricted groups to delegate a subadmin to manage these machines.
If you want them to be local admins so they can perform maintenance than you
should consider using restricted groups:
To use the restricted user group gpo setting
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...
http://www.microsoft.com/resources/documentation/windows/xp/all/prodd...
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.
Note: Be aware that the higher you place this setting within the domains
group policy the possibility exists it is applied to machines you may not
want it applied to. With this in mind you should try and avoid this setting
at the domain level, with the exception on the domain admins group. We have
some users who are local admins on machines and for some reason they feel
compelled to remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Yorgy" <yorgy_i@xxxxxxxxxxx> wrote in message
news:AD333273-EA88-4AB4-ADF1-E885592604DD@xxxxxxxxxxxxxxxx
Hello,
We currently run a Windows Server 2003 Domain SP2.
We would like to setup a group or an account (to allow the use of the Run
As..command) to install software on 10 local machines for some of our
mechanical engineers.
Can someone please tell me if there is a solution to this?
Thank you
Yorgy
.
- References:
- Global Account for Installing Software
- From: Yorgy
- Global Account for Installing Software
- Prev by Date: Re: Removing computers that no longer exist
- Next by Date: Authenticated Users and Builtin Users
- Previous by thread: Re: Global Account for Installing Software
- Next by thread: Removing computers that no longer exist
- Index(es):
Relevant Pages
|
