Kobe 310ParticipantFebruary 5, 2019 at 12:00 pm #613846
Is there a way i can create domain account where a user can make changes on a domain computer such as add\remove programs, add\edit\delete files within the root, but not be able to use that account to join a computer to the domain, or log into the domain server.
wullieb1ModeratorFebruary 5, 2019 at 8:18 pm #613855
Not that i’m aware of.
Daft question time. Why do you want to allow users to install software on a DC??
Kobe 310ParticipantFebruary 5, 2019 at 10:30 pm #613856
hey wullieb1, thanks for responding!
not a server, a domain computer. ex. a computer used to check in people at the front office at a business that is part of a domain…….i’m assuming i should have said a computer joined to the domain???
I don’t want just anybody in the IT Dept. to have access to log into the DC. I only want them to have the ability to log into a computer joined to the domain, or a computer on the domain…(by the way, how in the hell Do i say that? sounds weird.) and make any changes that they need to, except for having the power to log into the DC, or join a computer to the DC.
Like a power user or something like that. I’ve seen tons of answers on the web, but none seem to be specific to the point. I would assume this would be a common request by IT administrators…..or not?
wullieb1ModeratorFebruary 11, 2019 at 8:34 pm #614213
Yes it probably can be done using delegation of rights.
JeremyWModeratorFebruary 21, 2019 at 12:26 pm #614423
You can add the domain user or group to the computer’s local Administrators group. (domain computer, domain joined computer, and computer on the domain are all common ways of referring to the same thing)
You can use group policy and restricted groups to control the membership too if you like to apply it to many computers and not just one at a time like the above method. https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups
You may want to use LAPS to control the local administrator account: https://technet.microsoft.com/en-us/mt227395.aspx?f=255&MSPPError=-2147217396
Also note that by default all users can join up to 10 computers to the domain. Here’s info on how to configure that: https://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx
You must be logged in to reply to this topic.