+ Post New Thread
Results 1 to 8 of 8
Windows Server 2008 R2 Thread, admin rights in Technical; How do I give a user rights to add remove programs, join computer to domain, rename computer but I don't ...
  1. #1

    Join Date
    Sep 2010
    Location
    wilson
    Posts
    20
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    admin rights

    How do I give a user rights to add remove programs, join computer to domain, rename computer but I don't want the user be able browse folders. How is the best way to do this? Thanks

  2. #2
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    38
    I don't think its possible to stop someone to browse folders. unless you place NTFS permissions on those folders.
    To add/remove programs users need to be power user or local admins
    Computer joining etc can be altered by placing permissions on the OU/container in which the PC resides (or default computer OU)

    bio..

  3. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Quote Originally Posted by bio View Post
    I don't think its possible to stop someone to browse folders. unless you place NTFS permissions on those folders.
    To add/remove programs users need to be power user or local admins
    Computer joining etc can be altered by placing permissions on the OU/container in which the PC resides (or default computer OU)

    bio..
    a simple way is right click on the domain name in AD and select delagate control - you can then select the options you want

    by browse folders wat do you mean? on the local machine or on the server

  4. #4

    Join Date
    Sep 2010
    Location
    wilson
    Posts
    20
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Glennda,
    I tried delegating but when the user logs into computer via the domain they do not have rights to add remove. It says "must be administrator".... What I mean by browsing is for instance I get it to work so the user logs into the computer via the domain and they can add/remove programs. I don't want them to be able to view home folders of other users. Hope I am being clear. thanks
    P.S I created an OU named "workstations" for testing I added a test computer. I right click and selected delegate control/active directory oject type: selected computer object.
    Last edited by superhl; 18th November 2010 at 07:03 PM.

  5. #5

    Join Date
    Sep 2010
    Location
    wilson
    Posts
    20
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Bio,
    The user has admin rights to the local workstation, so it is not a big deal. I was hoping there is a way to give the user enough rights without having to login to the local worksation to make changes. I just recently moved to AD. Originally, we were a novell shop.

  6. #6

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    The delegate control wizard will only give users access to edit that part of active directory. so what you have done is allow those staff to manage your computers section of ad.

    For being able to add/remove programs you need to setup a gpo to add the users to the local administrators group

  7. #7

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,159
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    125
    If you make a user admin on their local machine they won't be able to browse other user home folders unless the permissions are wrong on server where the folders are.

    If you make a user a member of domain admins then by default this will give them the local rights but will give them far too many rights - they will be able to browse home directories (and absolutely everything else)

    If you use Active Directory Users and Computers then this won't directly let you set someone as a local admin - if you put someone into an admins group there, it's the domain admins group.

    If you want to make this happen for quite a few users then one way to do it is to create a group called (say) workstation_admin and add your users to that in ADU&C - that gives you a group you can manage centrally.

    Now you need to add that group to local admins on the workstations. The easiest way to do this is to use a group policy.

    You need to have all your computers in an OU (they can't be in the default computers container) and then you create a GPO which is attached to this OU. Edit the GPO and go to Computer Configuration/Windows Settings/Security Settings/Restricted Groups and choose the group administrators. Add to this administrator, domain admins and workstation_admin

    When the group policy next applies to the workstations in this OU, the membership of the administrators group will be reset to just the 3 you've added above (you can obviously add whatever you need). Note that this will get reset by group policy so if you change the settings on a workstation they'll just get reset.

  8. #8

    Join Date
    Dec 2009
    Location
    USA
    Posts
    10
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    The user will need to be in the account operators group on the domain to join domain / rename computer.

    Power User Group will allow them to use add/remove programs and it should prevent them from browsing other users' profiles.

    Definitely test to see if you get all of the results you want, but this should get you pretty dang close.



SHARE:
+ Post New Thread

Similar Threads

  1. domain admin rights
    By RichB in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 5th May 2010, 01:44 PM
  2. Local Admin Rights
    By IanT in forum Windows Server 2000/2003
    Replies: 16
    Last Post: 16th August 2009, 12:45 AM
  3. Logged in as admin, but no admin rights?
    By boomam in forum Windows
    Replies: 11
    Last Post: 12th March 2008, 04:56 PM
  4. Staff Admin rights
    By itgeek in forum Windows
    Replies: 26
    Last Post: 22nd February 2008, 10:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •