+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Windows Thread, types of administrator account in Technical; Hello All, Im a bit confused with types of administrator; Basically i want my technicians to be able to have ...
  1. #1

    Join Date
    Oct 2005
    Location
    Wakefield, UK
    Posts
    51
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    types of administrator account

    Hello All,


    Im a bit confused with types of administrator;

    Basically i want my technicians to be able to have read access to the active directory, and be able to reset passwords on acounts

    They also must be able to add / remove machines from the domain.

    I've tried account operators, but this doesnt let them do the adding / removing machines, and domain admins seems to give them more or less full control in AD.

    What would you suggest?

  2. #2
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: types of administrator account

    <Removed>

    My original post wasn't worth reading!


    Wes

  3. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,013
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    108

    Re: types of administrator account

    You need to use the delegation of authority wizard. Resetting passwords is easy from that and if you have your machines in an OU of their own then you can delegate them more permissions over that than containers with users in etc.

  4. #4
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: types of administrator account

    With regards to ChrisH check this website address for a step by step guide:

    http://www.microsoft.com/technet/pro...p/ctrlwiz.mspx

    Wes

  5. #5

    Join Date
    Oct 2005
    Location
    Wakefield, UK
    Posts
    51
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: types of administrator account

    this is great, thanks a lot.

    One thing though...


    i forgot to mention the domain setup, basically its mostly 2003 but one of the DC's is 2000 (dont snigger)

    Will it still work?

  6. #6
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: types of administrator account

    Erm...? I believe it won't I think 2000 cripples the extra functionality of 2003 but I think Chris will know better than I.


    Wes

  7. #7

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: types of administrator account

    You can have domain controllers running Windows 2000 Server in a Windows 2003 domain. You just need the most recent version of adminpak.msi to be manage it from Windows 2000 or XP.

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: types of administrator account

    Yeah, but you wont be able to raise the domain functional level (and get the extra features) to Windows 2003 Server.

  9. #9

    Join Date
    Oct 2005
    Location
    Wakefield, UK
    Posts
    51
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: types of administrator account

    ok,

    started to look at this, and it could be the solution...

    it will work nicely for controlling what they can and cant see in the active directory, however I still cant figure out what permissions to give to allow a non domain admin the ability to join a computer to a domain.

    I've added my test user to a group called technicains, and using the delegate control wizard i've allowed the test user to be able to create computer accounts (which works) but when i log on to a machine as that test user, the network ID settings are greyed out.

    What am i doing wrong~?

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: types of administrator account

    Did you also assign them the 'add computers to domain' user right?

  11. #11

    Join Date
    Oct 2005
    Location
    Wakefield, UK
    Posts
    51
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: types of administrator account

    yes, here is what i have done in full


    made a new group "technicians"
    made a new user "penguin", who is a standard user not an admin
    made a new container "test"
    added penguin to technicians
    delegated required control over test ou

    gone to default domain policy, computer configuration, windows settings, security settings, local policies, user rights assignment and given the group technicians "add workstations to domain"

    penguin can now do the things in the test ou i want, and not the things i dont great.

    However if penguin logs onto a workstation and goes to the network ID settings, all options are greyed out (even after a forced policy refresh)

    Basically I need to ask a new question;

    how to i allow a non administrator user to join a machine to the domain (for example a syspreped out of the box machine)


    Mathew

  12. #12

    Join Date
    Aug 2006
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: types of administrator account

    The way I thought it worked is that any user account can add up to 10 computers to a domain, if they need to add more they will need to be a member of the account operators group or have permissions delegated to them in AD.

    I would guess the change name button is greyed out because they are not local administrators. Perhaps you should create a "tech" group with all of your IT staff in the group and add it to the local administrators groups on your PCs (doable through restricted groups in group policy or manually).

    MS article

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: types of administrator account

    You can't do that with a domain account. You need a local group on the machine with 'add computer to domain' rights.

  14. #14

    Join Date
    Oct 2005
    Location
    Wakefield, UK
    Posts
    51
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: types of administrator account

    that explains it then;

    so am i right in saying, other than making my technicians member of domain admins (and giving them unwanted access to the AD) there is no way i can let them add remove and chage machine identifications?

  15. #15

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: types of administrator account

    They can if the machine is already on the domain. But it's a bit pointless then.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. MRBS - Entry Types
    By Mauger in forum Network and Classroom Management
    Replies: 5
    Last Post: 9th January 2008, 11:38 AM
  2. Backup Types
    By mmoseley in forum Network and Classroom Management
    Replies: 4
    Last Post: 27th October 2007, 10:47 PM
  3. Report Types
    By mark80 in forum MIS Systems
    Replies: 6
    Last Post: 15th May 2007, 03:35 PM
  4. Renaming the Administrator Account
    By tosca925 in forum Windows
    Replies: 20
    Last Post: 3rd July 2006, 05:02 PM
  5. Administrator Account
    By Gatt in forum Windows Vista
    Replies: 0
    Last Post: 2nd April 2006, 09:51 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •