Networks

General discussion

Gravatar
Locked

admin abilities

By papula ·
hello everyone-

i am running a win2k3serv domain, with 2 servers. one is a DC, dhcp, dns, other is application server.

this is a very basic question, but i cannot think of the answer:

i have 2 techs working under me, i want them to handle all desktop support throughout the network. therfore they need to have admin rights on each machine with there domain login.

so i put them both in the domain admins group, this accomplished my needs- they are local admin equivelants at any machine they log on to.

the problem is that i do not want them to have admin rights on the servers, but they have same rights on them as client machines.

what can i do?

thanks for the help.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by kevin203 In reply to admin abilities

Hi,

There is three ways of doing that.

First is prevent them from accessing the server from sharing security.

Second is to delete systems admin group from all group that related to them.

Third is add them to domain user group instead of Administrator cause domain user group also can be a user computer administrator.

hope it will help.

gravatar
Collapse -

by papula In reply to

i guess im not understanding any of that answer:
1st do you mean prevent them from physical access??- i cant do that, but that wouldnt matter anyway because they could remote in. OR you may have meant prevent them from accessing shares- i can do that, but they could still access dsa.msc, which is what i dont want.
2nd- i dont know what systems admin group is.
3rd- a domain user cannot administrate domain computers.

gravatar
Collapse -

by kevin203 In reply to admin abilities

Ok...

Domain user also can administrate domain computer if you assign them as the particular domain computer admin right.

You can also turn off the remote access or you can assign some user only to have right to remote.

And last, only server administrator can have full permission on server and not domain admin.

hope this will help.

gravatar
Collapse -

by ManISKid In reply to admin abilities

You can explicitly deny logging onto the domain controller through the group policy.

computer configuration -- windows settings -- security settings -- local settings -- user rights assignment -- 'deny log on locally' and/or 'deny logging on through terminal services'. This is already defined in the default domain controllers group policy


However, I think that the best thing to do is to
simply create a new group and assign this group administrative rights but without the ability to administrate the server.

You may want to consider creating differnet groups and using the runas command to allow the administrators the ability to log on as 'account adminstrators' etc

gravatar
Collapse -

by papula In reply to

man in kid-

when you specify that in group policy, that is denying access to the local comptuer only right? thats for the DC only- how do i specify for other servers?

also- how do you assign admin rights but not to servers?

also -please expand on runas command.

thanks

gravatar
Collapse -

by edwerg In reply to admin abilities

It sounds like the easiest procedure for you to follow would be to: create a new user group (global) for your techs , add the techs to the group. Go to each of the client pc's and add the new user group you just created to the local administrator group. This way once the group is added to the local pc's admin group you can add or delete the techs who you want to admin the local pc's. Hope this helps

gravatar
Collapse -

by honu95 In reply to admin abilities

Run As Command: allows a user to run specific tools and programs w/ different permissions than the user's current logon provides.

-hold down shift + rt.click and select "run as"
-using the cmd prompt, type "runas /user:domain_name\username program_name"

you can also setup shortcuts by creating a shortcut of the item ie. mmc or perfmon, and type the CL Run As command (seen above) where you would type the location of the item when creating the shortcut.

good luck

Back to Networks Forum
7 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums