restricted admins...

  • Thread starter Thread starter Michel B.
  • Start date Start date
M

Michel B.

Hi,

I've been asked to do 2 things and I wanted to know what you guys think
would be the best way. I already have a way to achieve my goal but I'm
looking for a better way to do that (if any exist)

Here it goes

1- I need to setup a user (the technician) to access the properties of
accounts in AD (to reset passwords and/or unlock them). He has to log on
locally/interactively on one of the DC (the one with all the FMSO roles).

BTW I had something strange when I've set the local policies on the DC to
allow the user to logon locally. I had set al admins groups/accounts and
this particular account. Few times after I did this, users began to call me
telling that they had a message that they couldn't logon interactively. Is
there a way to setup "local" policies on the DC to allow a user account to
logon locally?



2- I have to give full control over 5 servers to 2 guys, the ERP dev team.
They should have the right to install/uninstall anything on the servers. I
though to give them an account which is local administrator on those
servers.





Thanks





M.Bruyere
 
--------------------
From: "Michel B." <[email protected]>
Subject: restricted admins...
Date: Thu, 20 May 2004 11:07:53 -0400

Hi,

I've been asked to do 2 things and I wanted to know what you guys think
would be the best way. I already have a way to achieve my goal but I'm
looking for a better way to do that (if any exist)

Here it goes

1- I need to setup a user (the technician) to access the properties of
accounts in AD (to reset passwords and/or unlock them). He has to log on
locally/interactively on one of the DC (the one with all the FMSO roles).

BTW I had something strange when I've set the local policies on the DC to
allow the user to logon locally. I had set al admins groups/accounts and
this particular account. Few times after I did this, users began to call me
telling that they had a message that they couldn't logon interactively. Is
there a way to setup "local" policies on the DC to allow a user account to
logon locally?



2- I have to give full control over 5 servers to 2 guys, the ERP dev team.
They should have the right to install/uninstall anything on the servers. I
though to give them an account which is local administrator on those
servers.
-----------------------

1. Any local policy settings on a DC will be overridden by the settings on
the Default Domain Controllers Policy (you will find it in AD Users and
Computers at the Domain Controllers container)

2. Put the user accounts into an "ERP Dev" group, then add the ERP Dev
group to the Administrators group on each server.


--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Hi Jason,
So if I understand correctly in 1, adding the user right in
the default DC policy will do what i want; Allow a non admin user to log on
the DC. As per 2 that was what i though to do, thatks for confirming it.

Thanks!
 
Back
Top