General discussion

  • Creator
  • #2176739

    admin abilities


    by papula ·

    hello everyone-

    i am running a win2k3serv domain, with 2 servers. one is a DC, dhcp, dns, other is application server.

    this is a very basic question, but i cannot think of the answer:

    i have 2 techs working under me, i want them to handle all desktop support throughout the network. therfore they need to have admin rights on each machine with there domain login.

    so i put them both in the domain admins group, this accomplished my needs- they are local admin equivelants at any machine they log on to.

    the problem is that i do not want them to have admin rights on the servers, but they have same rights on them as client machines.

    what can i do?

    thanks for the help.

All Comments

  • Author
    • #3330502

      Reply To: admin abilities

      by kevin203 ·

      In reply to admin abilities


      There is three ways of doing that.

      First is prevent them from accessing the server from sharing security.

      Second is to delete systems admin group from all group that related to them.

      Third is add them to domain user group instead of Administrator cause domain user group also can be a user computer administrator.

      hope it will help.

      • #3329963

        Reply To: admin abilities

        by papula ·

        In reply to Reply To: admin abilities

        i guess im not understanding any of that answer:
        1st do you mean prevent them from physical access??- i cant do that, but that wouldnt matter anyway because they could remote in. OR you may have meant prevent them from accessing shares- i can do that, but they could still access dsa.msc, which is what i dont want.
        2nd- i dont know what systems admin group is.
        3rd- a domain user cannot administrate domain computers.

    • #3329664

      Reply To: admin abilities

      by kevin203 ·

      In reply to admin abilities


      Domain user also can administrate domain computer if you assign them as the particular domain computer admin right.

      You can also turn off the remote access or you can assign some user only to have right to remote.

      And last, only server administrator can have full permission on server and not domain admin.

      hope this will help.

    • #3329518

      Reply To: admin abilities

      by maniskid ·

      In reply to admin abilities

      You can explicitly deny logging onto the domain controller through the group policy.

      computer configuration — windows settings — security settings — local settings — user rights assignment — ‘deny log on locally’ and/or ‘deny logging on through terminal services’. This is already defined in the default domain controllers group policy

      However, I think that the best thing to do is to
      simply create a new group and assign this group administrative rights but without the ability to administrate the server.

      You may want to consider creating differnet groups and using the runas command to allow the administrators the ability to log on as ‘account adminstrators’ etc

      • #3342026

        Reply To: admin abilities

        by papula ·

        In reply to Reply To: admin abilities

        man in kid-

        when you specify that in group policy, that is denying access to the local comptuer only right? thats for the DC only- how do i specify for other servers?

        also- how do you assign admin rights but not to servers?

        also -please expand on runas command.


    • #3350955

      Reply To: admin abilities

      by edwerg ·

      In reply to admin abilities

      It sounds like the easiest procedure for you to follow would be to: create a new user group (global) for your techs , add the techs to the group. Go to each of the client pc’s and add the new user group you just created to the local administrator group. This way once the group is added to the local pc’s admin group you can add or delete the techs who you want to admin the local pc’s. Hope this helps

    • #3352131

      Reply To: admin abilities

      by honu95 ·

      In reply to admin abilities

      Run As Command: allows a user to run specific tools and programs w/ different permissions than the user’s current logon provides.

      -hold down shift + and select “run as”
      -using the cmd prompt, type “runas /user:domain_name\username program_name”

      you can also setup shortcuts by creating a shortcut of the item ie. mmc or perfmon, and type the CL Run As command (seen above) where you would type the location of the item when creating the shortcut.

      good luck

Viewing 4 reply threads