Domain Credentials

This topic contains 4 replies, has 3 voices, and was last updated by JeremyW JeremyW 11 months, 1 week ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Kobe 310
    Participant
    #613846

    Is there a way i can create domain account where a user can make changes on a domain computer such as add\remove programs, add\edit\delete files within the root, but not be able to use that account to join a computer to the domain, or log into the domain server.

     

     

    Thanks

     

     

     

     

    Avatar
    wullieb1
    Moderator
    #613855

    Not that i’m aware of.

    Daft question time. Why do you want to allow users to install software on a DC??

    Avatar
    Kobe 310
    Participant
    #613856

    hey wullieb1, thanks for responding!

    not a server, a domain computer. ex. a computer used to check in people at the front office at a business that is part of a domain…….i’m assuming  i should have said a computer joined to the domain???

    I  don’t want just anybody in the IT Dept. to have access to log into the DC. I only want them to have the ability to log into a computer joined to the domain, or a computer on the domain…(by the way, how in the hell Do i say that? sounds weird.) and make any changes that they need to, except for having the power to log into the DC, or join a computer to the DC.

    Like a power user or something like that. I’ve seen tons of answers on the web, but none seem to be specific to the point. I would assume this would be a common request by IT administrators…..or not?

     

     

     

    Avatar
    wullieb1
    Moderator
    #614213

    Yes it probably can be done using delegation of rights.

     

    JeremyW
    JeremyW
    Moderator
    #614423

    You can add the domain user or group to the computer’s local Administrators group. (domain computer, domain joined computer, and computer on the domain are all common ways of referring to the same thing)

    You can use group policy and restricted groups to control the membership too if you like to apply it to many computers and not just one at a time like the above method. https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups

    You may want to use LAPS to control the local administrator account: https://technet.microsoft.com/en-us/mt227395.aspx?f=255&MSPPError=-2147217396

    Also note that by default all users can join up to 10 computers to the domain. Here’s info on how to configure that: https://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.