Announcement

Collapse
No announcement yet.

workstation admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • workstation admin

    I created an OU named "Workstation". I created a group named " Workstation Admin". How do I give the group "workstation admin" rights to add/remove programs and join computers to the domain?

  • #2
    Re: workstation admin

    What OS are you using and what AD version are you using?
    "To err is human but to really **** things up requires a computer user..."

    "The path to enlightenment is /user/bin/enlightenment"

    A+ CE

    Comment


    • #3
      Re: workstation admin

      Originally posted by superhl View Post
      I created an OU named "Workstation". I created a group named " Workstation Admin". How do I give the group "workstation admin" rights to add/remove programs and join computers to the domain?
      Make sure computer objects are on the OU first. For the first query create a Gpo and edit the Restricted Groups policy to add the "Workstation Admins" group to the local Administrator group.
      For the second query, in ADUC, right click on the OU you created and use the Delegation wizard.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: workstation admin

        All users can (by default) join up to 10 computers to the domain without special privileges.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: workstation admin

          Server windows 2008 r2 64bit
          Windows XP sp3
          L4ndy,
          Is this this link http://www.windowsecurity.com/articl...ed-Groups.html that I should apply.
          I added members of this groups "workstation admins" and this group is a member of "adminsitrators"
          Thanks for the help!
          Update:
          I made the above changes but the workstation admin group still does not enough rights to change add/remove programs.
          The users that are members of the Workstation admin groups have just standard"user"rights. Do I need to add those members to the admin group first? I am confused!
          Attached Files
          Last edited by superhl; 17th November 2010, 23:20. Reason: update

          Comment


          • #6
            Re: workstation admin

            they need to belong to the administrators group on each local workstation.


            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: workstation admin

              tehcamel,
              Can you explain why they need to be membere of the admin group on the local workstation. I can't belive there isn't a better way. All I am trying to do is give a user rights to add/remove programs, change computer name, etc.

              Comment


              • #8
                Re: workstation admin

                Originally posted by superhl View Post
                why they need to be membere of the admin group on the local workstation. I can't belive there isn't a better way.
                Changing system settings requires special privileges. For the XP systems, try the Power Users group. It doesn't have all the admin rights, but sometimes those extra privileges are just enough.

                -vP

                Comment


                • #9
                  Re: workstation admin

                  Originally posted by superhl View Post
                  tehcamel,
                  Can you explain why they need to be membere of the admin group on the local workstation. I can't belive there isn't a better way. All I am trying to do is give a user rights to add/remove programs, change computer name, etc.
                  because administrative (or at least power user) is the rights that are required to install programs ?

                  they other way would be to work exactly which directorys, files, folders and registry keys and hives the program installations would need, and go and apply permission to each of those individually.

                  so putting the user account into a preconfigured group, that is specificly designed for things like this, IS the better way.

                  there's plenty of other ways to delegate permissions, but you'd need to know EXACTLY what is required, and you seem to require the "better" way to do it.

                  in my mind, doing it quickly and simply, unless i'm in a super restricted environment, is the better way than needing to dig through every possible location where permissions would need to be granted


                  this MS Article http://support.microsoft.com/kb/295017 actually says specifically "Generally, you must have administrative permissions to do anything in this article"
                  Last edited by tehcamel; 18th November 2010, 08:18.
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment


                  • #10
                    Re: workstation admin

                    Thanks for the reply! Ok, when I log in as Administrator I can make changes, add remove, rename, etc. However, when I add that user to the administrator group, they still cannot make any changes. My thougts are to add the user to the admin group and take away his rights to see other staff's files and folders.

                    Comment

                    Working...
                    X