I have a bit of an unusual problem. During the day our college has a team of IT technicians taking care of the network inc menial tasks such as resetting students passwords etc. In the evening the Technicians take turns to stay on a late shift to cover classes till 8pm. About once a week we have a non IT staff member stay to cover the late shift as there isn't enough technicians on rotation. This person only carries out tasks such as replacing print toners and resetting passwords.
We would like to get Remote Server Administration Tools installed to run under his normal user account, at the moment it is installed but will only appear on start menu on admin accounts. Is this possible?
This particular staff member currently uses remote desktop to log onto the domain controller to reset passwords (using a seperate admin account), which is an inconvenience and could be done away with if RSAT is working under his account. I have also delegated control to his user account in AD.
It may just be that it's not possible for this to happen unless he has an actual Admin account but that's why I'm asking the question.
I have to ask, if you copy the shortcuts do they run?
I assume his account is not domain admin for obvious reasons which would block them?
I would make an account that is exclusive for that person and grant the specific rights they need to reset, then copy the shortcuts and for each one go into properties->shortcut tab->Advanced and check the run as administrator box and see it them prompts them for auth and they would use the account you made. You could even secure it down enough so that the elivated account can only be logged on at certain times/places too.
The run as admin checkbox may/may not work as expected though, if it didnt they can run shortcuts as another user by right clicking on the shortcut with SHIFT held down, the run as alt user option appears then.
Currently for example here my account I am logged in as is fully "normal" (aka not even local admin rights) and I make the shortcuts I need to run elevated with the check box trick and either login as a special local admin (for local changes) account or domain admin account depending on what mmc etc I need.
The run as admin checkbox may/may not work as expected though, if it didnt they can run shortcuts as another user by right clicking on the shortcut with SHIFT held down, the run as alt user option appears then..
Thanks for the advice, I ended up finding a way to get this to work. I Delegated control in Active Directory to the user just to allow him to reset passwords. I then installed RSAT on his computer under my administrative account. I copied the shortcut for active directory users and computers to all users desktop, so now when he logs in he has access to AD on his desktop and the only thing he can do is reset passwords.