Basic User Setup

A

Adrian Marsh

Hi,

I've setup some OUs on my domain, seperating out Computers and Users,
and in addition I've created a 3rd OU for "test" computers.

I can see that I can still add users to groups, as in NT4, but how can I
enable the users that use machines in the "test" OU to be local
administrators of the machines in the "test" OU, but not be local
admins of Computers in the normal "Computers" OU ? And how can these
users be setup as admins of the "test" computers, but not admins of the
Domain itself (i.e. not part of Domain Admins group). Normally I'd add
them locally on those PCs into the client Administrators group, but
there must be a way of doing this from the Domain itself..

I'm guessing that it has something to do with the Built-in group
Administrators in the Domain, but I can't quite see how it fits.

Adrian
 
S

Steven Umbach

You could user the computer configuration "restricted groups" to create a global
group and for instance put domain admins and domain users in it and then user
restricted groups to enforce the membership of the domain computers in that OU
to contain your global group. The downside of this method is that it will
probably remove all existing members of the local administrators groups on those
computers, hence the name restricted groups and domain users would be
administrators of all computers in OU, not just a particular one. If you do not
want to wipe out current membership of the local administrators group in that OU
you could use a logon script to add a global group [such as domain users or a
custom group you create] . Such a script could use the net command as in [ net
localgroup administrators mydomain\mygroup /add ]. If you want to have a user be
administrator on just their computer, you will need to individually add their
domain account to the local administrators group on their computer. You can also
restrict what domain computers a user accesses via their logon to restrictions
in their AD account properties and also through the user rights for logon
locally and access this computer from the network. There are also deny user
rights for those two settings but be careful with deny user rights as they
override any "allow" user right and administrators are also members of the users
and everyone groups. Also local administrators have no special rights in the
domain. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065 --- this must
be done at the OU level for local administrator groups or you run the risk of
adding to the administrators group for the domain!!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Allow log on through Terminal Services 1
New GPO are failing 4
Lab Domain Layout - SOS 3
Exclude some users and computers form logout script 2
Why would user policies be applied but not computer policies? 2
Do Not Execute Group Policy for Admins Group 1
Will this work as a first step? 2
Workstation Security Via Policy 2

Top