Domain Rights

[immorall]

I have one domain and I want to create a sub-administrator account that can do various things on the local machine such as change the computer name, the ip address, and/or install a printer/program. Now from what I read, with domain admins and enterprise admins or any users that are part of those groups, thier account are already added to the local administrators account on the local machine. This is why when they log in, they can do these types of things: change the computer name, IP, printer/program, add to the domain, etc....So getting to my question, how would you create a user that you didnt want to add to domain admins or enterprise admins group, but still wanted LOCAL admin rights? In other words, I just want a user that doesnt have any domain administrative rights, but can log onto any machine and has full local admin rights? I tried doing a group policy that applied to that user that ENABLED them with those rights, but the GP didnt affect anything. I even put it ahead of the domain default GP just to make sure that wasnt affecting anything. I know there is a place in AD for "delegation", but most of that is just rights for the actual AD structure, not rights which im wanting on local machines. How would i go about doing this?

[fizban2]

best bet would be to create a global group in AD and add the users that you want to have the ability to do what you want or if a generic account just that account. then add that group to the local admin group of each PC

[Ghostrider]

Easier still would be to add the domain user as a new account to the local computer, add the user again to the list but type the domain name (don't browse) and then select administrator

[immorall]

Is there any other way? Both of your solutions here require adding a local account to the computer. With almost a 1000 machines, thats real time worthty. I thought maybe there was some way to automatically add a domain user account or group to the local computer with admin rights. I mean, I would think there would be some way. How do organizations with thousands and thousands of computers do it? I know they dont give each memeber in their IT department domain admin or enterprise admin rights. So how would a IT tech or sub-administrator change a computer name or change an ip address a computer or install a program without having the Network Administrator with a domain admin or enterprise admin account come do it for them.

[At0mic]

Well for a start, an IT Tech would NEVER give everyone local admin rights because thats just crazy.

Lets start with adding a member to a domain. The default setting for Windows Server 2003 lets each user add up to 10 computers to a domain anyway, providing of course, the Network Admin adds each computer to the Active Directory Users and Computer snap-in.

Anyway, you can just allow them to do this in the Group Policy Management Console | User Rights Assignment| | Add workstations to aomain

Under Security Options in the Group Policy Management Console you can allow people to install printers.

You can automate software rollout in Group Policie as well but its best not to allow everyone to be able to do this themself, otherwise some people will start installing un-licenced software they have downloaded or brought in from home.

[fizban2]

GPO would be the best way to push out a user account to the masses, or a logon script, you DO NOT add the users to the domain admin or enterprise admin group, having them as part of of the local admin group is all you need to be able to change computer name and IP and such, far better would be to allow your Techs to know the local admin password (but just them) and use the runas commands to make changes and edits to the machine, this will allow them to run programs and make changes as a computer admin while logged on as themselves or as the user.

[nmX.Memnoch]

The easiest way that won't require you going to every machine to add the user(s) to the Local Admin group would be to create a domain group for the users you want to have local admin privs on your workstations (but not domain admin privs in your domain). Now create a simple CMD file with the following command:

NET LOCALGROUP Administrators /ADD "DOMAIN\New Group Name"

Now set that CMD file as a startup script in GPO. This will ensure that the group is always there and will always be readded if it's ever removed. It's also a good idea to add the following line in case the individual you give local admin privs to decides to try to lock out the domain admins:

NET LOCALGROUP Administrators /ADD "DOMAIN\Domain Admins"

You could even have a different Group and Startup Script for each OU.

I would recommend creating a seperate admin account for them to use for admin purposes though. For instance, their normal account would be something like firstname.lastname and this would be tied to their Exchange mailbox, etc. Then the seperate admin account would be something like firstname.lastname.admin and not have privs to anything except what is required to perform admin functions.

Edited February 26, 2006 by nmX.Memnoch

[immorall]

Thanks, I was wondering if there was a way to add a local user with a GPO. I didnt know about that command. Thank you all for your help.

[nmX.Memnoch]

Just keep in mind that we're all recommending a Domain Group for the users because then you can add/remove users from that group to add/remove them from local admin privs without having to make changes to every workstation. Make the change to the Domain Group and you're done.

Edited February 26, 2006 by nmX.Memnoch