Question

  • Creator
    Topic
  • #2216381

    Junior Admministrator Account, WinXP?

    Locked

    by lfruchter ·

    Dear Wise Ones,

    I think I finally have a quick, easy question to ask. I run an XP/Server 2003 network in a school. I’ve been given two very trustworthy students to help me out and I want to give them administrator privileges on the workstations. I’m happy if they can use their logins to do anything to the workstations EXCEPT change the original administrator password. So far, none of the account types that I’ve tried (Backup Operators, Help Services Group, Network Configuration Operators or Power Users) give enough administrator privileges and if I make them Administrators, then they can change the original Administrator password from the Users control panel.

    Is there any way to do what I want: create an account that has full Administrator powers EXCEPT for messing with the original Administrator account? I don’t mind if such an account will give them such access from the command line, I just don’t want it to be possible through control panels.

    Thanks much as always,
    Lev in Brooklyn

All Answers

  • Author
    Replies
    • #2817136

      Clarifications

      by lfruchter ·

      In reply to Junior Admministrator Account, WinXP?

      Clarifications

    • #2817416

      Maybe This…

      by rkuhn040172 ·

      In reply to Junior Admministrator Account, WinXP?

      I think what you want is in AD on your domain controller.

      In AD Users & Computers click View and then check Advanced Features.

      At that point, you should be able to create a new group called say Junior Admins and more granularly control what they can and can’t do on the Security tab.

      • #2815524

        Will it…

        by lfruchter ·

        In reply to Maybe This…

        Network control, that’s always the way to go, isn’t it? Okay, but what if my workstations (90% of which are laptops) can’t connect to the domain controller? If my Junior Admins have logged onto a machine once, will that machine retain their security privileges (as defined by the DC) when the machine can’t connect to the DC? See, in most of the cases when I would have my Junior Admins attend to a machine, that machine would have lost its connection to the DC. I’ll get to work testing this, of course, but if anyone knows already, I’d be grateful.

        Best, Lev in BK

    • #2817401

      Delegate authority

      by cg it ·

      In reply to Junior Admministrator Account, WinXP?

      .

Viewing 2 reply threads