Desktop Admin

[pittspeed]

Hello,

i would like to hear your suggestions on how to properly make a desktop
admin group policy that would be for a lower level admin to install and
configure the local machine, but give no network access?

i was poking around and can make one up that would limit the ability to
hit a network resource, but there are always tricks around that, like the $
in a unc path for instance, so i'm trying to figure out the best bulletproof
way.

Thanks in advance for your responces.

 

[ptwilliams]

The way to do this is make the desktop admins domain users and a member of a
new group, i.e. desktop admins and add the desktop admins group to the local
admins group of local machines via the restricted groups policy.


--

Paul Williams
_________________________________________
http://www.msresource.net

Join us in our new forums!
http://forums.msresource.net
_________________________________________
Hello,

i would like to hear your suggestions on how to properly make a desktop
admin group policy that would be for a lower level admin to install and
configure the local machine, but give no network access?

i was poking around and can make one up that would limit the ability to
hit a network resource, but there are always tricks around that, like the $
in a unc path for instance, so i'm trying to figure out the best bulletproof
way.

Thanks in advance for your responces.

 

[pittspeed]

thank you for the responce...

currently i have a new 'group' called Desktop admin... that group has local
admin right, and domain user rights.

i'm confused on your sentence "and add the desktop admins group (desktop
admin) to the local admins group of the local machines via the restricted
groups policy"

so how do you envoke local rights (local admin group) on a workstation
through AD?

 

[Chriss3]

This article describes what Paul means
http://www.chrisse.se/MAQB.asp?ID=29

 

[ptwilliams]

For example, to add a domain group to the power users group (local only):

Load a GPO and navigate to Computer Configuration\Windows Settings\Security
Settings\Restricted Groups

Right-click and choose add.

Enter Power Users (don't use Browse)

Double-click on Power Users (once it's been added) and add the new group
Desktop Admins to the 'Members of this group' section.

Upon policy refresh, the new group will be added to the local power users
groups on local PCs


--

Paul Williams
_________________________________________
http://www.msresource.net

Join us in our new forums!
http://forums.msresource.net
_________________________________________
thank you for the responce...

currently i have a new 'group' called Desktop admin... that group has local
admin right, and domain user rights.

i'm confused on your sentence "and add the desktop admins group (desktop
admin) to the local admins group of the local machines via the restricted
groups policy"

so how do you envoke local rights (local admin group) on a workstation
through AD?

 

[pittspeed]

thanks guys... i was on the right track but was caught up on the GPO part...

i'm sort of ashamed i didn't just think of this... try not to tell anyone

 

[pittspeed]

i've made all the changes that were outlined in that website, and all the
changes that were given to me by the previous poster. I've applied the
restricted group in my GPO and refreshed my policy and all should be good...
well

i log into a fresh machine and pull down the user info... i double click on
network and microsoft network and my entire LAN is there... then i double
click on my servers and all my shares are there... then i type \\server\c$
and here is the root.

so it's not properly working... i created the group desktop admin with only
local admin rights... i have them in the admin org unit, but they are a
restricted group, so i don't know why this isn't working for me.

adversely, the 'my computer' icon is no where to be found, and i can't
enable it using XP... i also can't change the 'mode' of the start menu from
classic to XP... so i'm wondering if i goofed something up... i'm rechecking
my steps...


ALSO, i created a brand new GPO to use, and it had the same results...
please advise...

thank you.

 

[ptwilliams]

I'm thinking that what's happening is that you're adding these users to the
domain administrators group -or worse, just the domain local admins group
which gives them admin control on DCs only.

I'm a little worried that I may have mislead you - the example I gave works
because there isn't a domain power users group. I can't try this at the
moment, but does the .\Administrators work? After all, that's how Windows
displays a local account over a domainName\AccName...


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


i've made all the changes that were outlined in that website, and all the
changes that were given to me by the previous poster. I've applied the
restricted group in my GPO and refreshed my policy and all should be good...
well

i log into a fresh machine and pull down the user info... i double click on
network and microsoft network and my entire LAN is there... then i double
click on my servers and all my shares are there... then i type \\server\c$
and here is the root.

so it's not properly working... i created the group desktop admin with only
local admin rights... i have them in the admin org unit, but they are a
restricted group, so i don't know why this isn't working for me.

adversely, the 'my computer' icon is no where to be found, and i can't
enable it using XP... i also can't change the 'mode' of the start menu from
classic to XP... so i'm wondering if i goofed something up... i'm rechecking
my steps...


ALSO, i created a brand new GPO to use, and it had the same results...
please advise...

thank you.