Windows Thread, Kind of delegating control problem in Technical; I`m responsible for 2 sites on one domain and want to give my senior techs certain rights for their site, ...
23rd July 2008, 12:25 PM #1
Kind of delegating control problem
I`m responsible for 2 sites on one domain and want to give my senior techs certain rights for their site, each site is on its own ou and i`ve delegated the controls I want, I`m just struggling with how i would give them local admin rights on the desktop, I could create a group on each one and add them to that but then that would stop them installing computers themselves. could i do it centrally from our 2k3 server?
23rd July 2008, 12:36 PM #2
Computer Config->Windows Settings ->Security Settings-> Local Policies -> Security Options -> "Accounts: Administrator Account Status"
Set this up in new group policy and apply it to your users
23rd July 2008, 12:45 PM #3
Not sure what you are asking in the post but you can script adding a group to the local administrators group via a machine startup script or batch file, below is batch file method:
net localgroup "administrators" "domain\group" /add
23rd July 2008, 12:56 PM #4
You could use a restricted groups policy on each OU to add them as local admins on all stations in the appropriate OU.
Using Restricted Groups
Then grant them the right to add computer to the domain seperatly in Active Directory, this way they can add computers to the domain and will be local admins without the need for domain admin rights.
Last edited by cookie_monster; 23rd July 2008 at 01:01 PM.
23rd July 2008, 01:43 PM #5
Sorry I must be missing something - why not just give them full admin accounts and trust their proffesionalism not to interfere with each others sites?
23rd July 2008, 04:10 PM #6
I'm reading it as Jamie_a not wanting either user to have domain admin rights.
23rd July 2008, 09:14 PM #7
I agree with this.
Originally Posted by jcollings
24th July 2008, 10:35 AM #8
Err well i disagree how do you know the level of competency of the members of staff, i'm respecting Jamie_a's judgement on this. I wouldn't let just anyone have domain admin rights on my network if they're desktop support then give them local admin rights.
Only people that require domain admin accounts should have them i'd never just hand one out to each member of the team especially anyone that i didn't feel had a very good understanding of active directory.
24th July 2008, 11:58 AM #9
Each to their own I guess. Got to say if I didn't think I could trust my team with admin accounts they wouldn't be working for me. As you say though, I'm sure Jamie_a knows his staff and I don't know his setup. I know my team would be very ineffective if they didn't have admin rights as so much of what they do depends on it.
Originally Posted by cookie_monster
24th July 2008, 12:53 PM #10
It's not a matter of trust it's a matter of competency but i know where you're coming from as school IT teams tend to be quite small but if you have more than 4-5 members of staff they really shouldn't all have DA accounts. Allot of data held on the network just shouldn’t be blanket available to that number of people.
24th July 2008, 05:33 PM #11
I guess I meant trust to include cometency as well - again if they aren't competent then they are not working for me
Originally Posted by cookie_monster
My team don't have full access to some things - e.g. SIMS and the Finance system - not even I have a logon for the finance package!
24th July 2008, 06:08 PM #12
I agree depending on the size of the team, you wouldn't want everybody having acess to everything if it is relatively large.
We have a team of myself and two technicians here who both have the same access rights as me bar passwords to a couple of systems (Passwords in safe, incase of emergency etc). When the newest Technician started here last September I restricted his rights and addded to them bit by bit throughout the year as and when I felt he had picked up the skills that I felt justified him gaining more access to the system.
By indiegirl in forum General Chat
Last Post: 31st July 2008, 01:12 PM
By mudcow007 in forum Windows
Last Post: 29th May 2007, 02:17 PM
By in forum How do you do....it?
Last Post: 10th March 2007, 03:53 PM
By sidewinder in forum Wireless Networks
Last Post: 17th October 2006, 10:45 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)