No announcement yet.

GPO for LAN admin - advice please

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO for LAN admin - advice please

    This is part Group Policy and part Delegation of Admin. I thouhgt I post here and will in AD forum as well.


    I’m a bit confused on the best way to config Delegation of Admin and or User Rights in Group Policy. I have several remote sites with their own local LAN Admin. They need some admin privileges. I’ve look at Delegation of Admin and can give them the ability to reset password etc and assign them to a group and assign that group to users OU for their OU/site. To be able to reset passwords etc they’ll need to logon to their local DC or RDP to it and this is where I’m confused. Do I enable ‘log on locally’ and ‘allow logon thru terminal’ in the Default Domain Controllers Group Policy? If I do that, then won’t be able to logon to any DC? I only want them to be able to logon to their own DC. So should I create/edit a GPO for these user rights and assign to their site instead of OU?

    I also need them to be able to join workstations to the domain. I see the user right ‘Add workstations to domain. Again, apply this…at OU level?

    Thanks for any advice

  • #2
    Re: GPO for LAN admin - advice please

    SO, you are interested to delegate the following privileges: -reset user passwords and join desktops to the domain.
    Step 1. Create a proper OU structure (Let say root OU (Site name) and two second level OUs one for users and one for computers);
    Step 2. Delegate the proper task for the proper group.

    The local ADMINs don't have to log on to DCs. They can install the ADMIN.msi administration pack on XP machine and have Active Directory Users and Computers snap in available locally.
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    Remember to give credit where credit is due and leave reputation points where appropriate