Windows Server 2008 R2 Thread, admin rights in Technical; How do I give a user rights to add remove programs, join computer to domain, rename computer but I don't ...
18th November 2010, 04:16 AM #1
- Rep Power
How do I give a user rights to add remove programs, join computer to domain, rename computer but I don't want the user be able browse folders. How is the best way to do this? Thanks
18th November 2010, 07:53 AM #2
I don't think its possible to stop someone to browse folders. unless you place NTFS permissions on those folders.
To add/remove programs users need to be power user or local admins
Computer joining etc can be altered by placing permissions on the OU/container in which the PC resides (or default computer OU)
18th November 2010, 08:08 AM #3
a simple way is right click on the domain name in AD and select delagate control - you can then select the options you want
Originally Posted by bio
by browse folders wat do you mean? on the local machine or on the server
18th November 2010, 05:52 PM #4
- Rep Power
I tried delegating but when the user logs into computer via the domain they do not have rights to add remove. It says "must be administrator".... What I mean by browsing is for instance I get it to work so the user logs into the computer via the domain and they can add/remove programs. I don't want them to be able to view home folders of other users. Hope I am being clear. thanks
P.S I created an OU named "workstations" for testing I added a test computer. I right click and selected delegate control/active directory oject type: selected computer object.
Last edited by superhl; 18th November 2010 at 06:03 PM.
18th November 2010, 06:02 PM #5
- Rep Power
The user has admin rights to the local workstation, so it is not a big deal. I was hoping there is a way to give the user enough rights without having to login to the local worksation to make changes. I just recently moved to AD. Originally, we were a novell shop.
18th November 2010, 07:08 PM #6
The delegate control wizard will only give users access to edit that part of active directory. so what you have done is allow those staff to manage your computers section of ad.
For being able to add/remove programs you need to setup a gpo to add the users to the local administrators group
18th November 2010, 07:13 PM #7
If you make a user admin on their local machine they won't be able to browse other user home folders unless the permissions are wrong on server where the folders are.
If you make a user a member of domain admins then by default this will give them the local rights but will give them far too many rights - they will be able to browse home directories (and absolutely everything else)
If you use Active Directory Users and Computers then this won't directly let you set someone as a local admin - if you put someone into an admins group there, it's the domain admins group.
If you want to make this happen for quite a few users then one way to do it is to create a group called (say) workstation_admin and add your users to that in ADU&C - that gives you a group you can manage centrally.
Now you need to add that group to local admins on the workstations. The easiest way to do this is to use a group policy.
You need to have all your computers in an OU (they can't be in the default computers container) and then you create a GPO which is attached to this OU. Edit the GPO and go to Computer Configuration/Windows Settings/Security Settings/Restricted Groups and choose the group administrators. Add to this administrator, domain admins and workstation_admin
When the group policy next applies to the workstations in this OU, the membership of the administrators group will be reset to just the 3 you've added above (you can obviously add whatever you need). Note that this will get reset by group policy so if you change the settings on a workstation they'll just get reset.
18th November 2010, 07:15 PM #8
- Rep Power
The user will need to be in the account operators group on the domain to join domain / rename computer.
Power User Group will allow them to use add/remove programs and it should prevent them from browsing other users' profiles.
Definitely test to see if you get all of the results you want, but this should get you pretty dang close.
By RichB in forum Windows Server 2000/2003
Last Post: 5th May 2010, 12:44 PM
By IanT in forum Windows Server 2000/2003
Last Post: 15th August 2009, 11:45 PM
By boomam in forum Windows
Last Post: 12th March 2008, 03:56 PM
By itgeek in forum Windows
Last Post: 22nd February 2008, 09:30 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)