Announcement

Collapse
No announcement yet.

create tech admin user/group, not admin on dc?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • create tech admin user/group, not admin on dc?

    Tried to keep the title short, but it seems confusing. Anyway, this is what I was wondering or wanted. I wanted to create a tech user and group that would have admin rights on client pc's but have a limited user account on servers. Is this possible, there is only one domain and 2003/xp machines? The reason being, incase the tech account gets comprised the user wont have admin rights to the servers. I want the account to be able to join pc's to the domain also. Should I allow this account to have rights for gpo's and user and computer ou's? Thanks in advance for comments.

  • #2
    Re: create tech admin user/group, not admin on dc?

    Use "restricted groups" in group policy
    Add the users to the admin group in a GPO linked to an OU containing the computers -- that way they will appear as local admins, but not have domain admin permissions.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: create tech admin user/group, not admin on dc?

      Thanks a bunch Ossian!

      Comment


      • #4
        Re: create tech admin user/group, not admin on dc?

        Such a timely post... I needed a few more details on how it worked and after a search I found this: http://www.windowsecurity.com/articl...ed-Groups.html
        It helped me understand it better...

        And, thanks Ossian!

        Comment

        Working...
        X