+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Kind of delegating control problem in Technical; I`m responsible for 2 sites on one domain and want to give my senior techs certain rights for their site, ...
  1. #1
    Jamie_a's Avatar
    Join Date
    Dec 2006
    Location
    Sheffield
    Posts
    82
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Kind of delegating control problem

    I`m responsible for 2 sites on one domain and want to give my senior techs certain rights for their site, each site is on its own ou and i`ve delegated the controls I want, I`m just struggling with how i would give them local admin rights on the desktop, I could create a group on each one and add them to that but then that would stop them installing computers themselves. could i do it centrally from our 2k3 server?

  2. #2
    DSapseid's Avatar
    Join Date
    Feb 2007
    Location
    West Sussex
    Posts
    1,152
    Thank Post
    130
    Thanked 54 Times in 47 Posts
    Rep Power
    38
    Computer Config->Windows Settings ->Security Settings-> Local Policies -> Security Options -> "Accounts: Administrator Account Status"

    Set this up in new group policy and apply it to your users

  3. #3
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    40
    Not sure what you are asking in the post but you can script adding a group to the local administrators group via a machine startup script or batch file, below is batch file method:

    net localgroup "administrators" "domain\group" /add

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    You could use a restricted groups policy on each OU to add them as local admins on all stations in the appropriate OU.

    Using Restricted Groups


    Then grant them the right to add computer to the domain seperatly in Active Directory, this way they can add computers to the domain and will be local admins without the need for domain admin rights.

    http://support.microsoft.com/kb/251335

    http://www.lockergnome.com/windows/2...to-the-domain/


    .
    Last edited by cookie_monster; 23rd July 2008 at 12:01 PM.

  5. #5

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    71
    Sorry I must be missing something - why not just give them full admin accounts and trust their proffesionalism not to interfere with each others sites?

  6. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I'm reading it as Jamie_a not wanting either user to have domain admin rights.

  7. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,053
    Thank Post
    888
    Thanked 1,728 Times in 1,491 Posts
    Blog Entries
    12
    Rep Power
    453
    Quote Originally Posted by jcollings View Post
    Sorry I must be missing something - why not just give them full admin accounts and trust their proffesionalism not to interfere with each others sites?
    I agree with this.

    Z

  8. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Err well i disagree how do you know the level of competency of the members of staff, i'm respecting Jamie_a's judgement on this. I wouldn't let just anyone have domain admin rights on my network if they're desktop support then give them local admin rights.
    Only people that require domain admin accounts should have them i'd never just hand one out to each member of the team especially anyone that i didn't feel had a very good understanding of active directory.

  9. #9

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    71
    Quote Originally Posted by cookie_monster View Post
    Err well i disagree how do you know the level of competency of the members of staff, i'm respecting Jamie_a's judgement on this. I wouldn't let just anyone have domain admin rights on my network if they're desktop support then give them local admin rights.
    Only people that require domain admin accounts should have them i'd never just hand one out to each member of the team especially anyone that i didn't feel had a very good understanding of active directory.
    Each to their own I guess. Got to say if I didn't think I could trust my team with admin accounts they wouldn't be working for me. As you say though, I'm sure Jamie_a knows his staff and I don't know his setup. I know my team would be very ineffective if they didn't have admin rights as so much of what they do depends on it.

  10. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    It's not a matter of trust it's a matter of competency but i know where you're coming from as school IT teams tend to be quite small but if you have more than 4-5 members of staff they really shouldn't all have DA accounts. Allot of data held on the network just shouldn’t be blanket available to that number of people.

  11. #11

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    71
    Quote Originally Posted by cookie_monster View Post
    It's not a matter of trust it's a matter of competency but i know where you're coming from as school IT teams tend to be quite small but if you have more than 4-5 members of staff they really shouldn't all have DA accounts. Allot of data held on the network just shouldn’t be blanket available to that number of people.
    I guess I meant trust to include cometency as well - again if they aren't competent then they are not working for me

    My team don't have full access to some things - e.g. SIMS and the Finance system - not even I have a logon for the finance package!

  12. #12

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,213
    Thank Post
    372
    Thanked 379 Times in 337 Posts
    Rep Power
    148
    I agree depending on the size of the team, you wouldn't want everybody having acess to everything if it is relatively large.

    We have a team of myself and two technicians here who both have the same access rights as me bar passwords to a couple of systems (Passwords in safe, incase of emergency etc). When the newest Technician started here last September I restricted his rights and addded to them bit by bit throughout the year as and when I felt he had picked up the skills that I felt justified him gaining more access to the system.

SHARE:
+ Post New Thread

Similar Threads

  1. IT Posters - as in the paper kind!
    By indiegirl in forum General Chat
    Replies: 19
    Last Post: 31st July 2008, 12:12 PM
  2. No internet connectivity kind of
    By mudcow007 in forum Windows
    Replies: 4
    Last Post: 29th May 2007, 01:17 PM
  3. what kind of microsoft software licencing do you use
    By in forum How do you do....it?
    Replies: 6
    Last Post: 10th March 2007, 02:53 PM
  4. Storm Control
    By sidewinder in forum Wireless Networks
    Replies: 1
    Last Post: 17th October 2006, 09:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •