Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is there a way to limit the built in Domain Admin rights? 2

Status
Not open for further replies.
bluenowhere17

bluenowhere17

MIS
Mar 29, 2006
5
0
0
US
We are a rapidly growing company with locations in several states and have now added a help desk position to our IT department. This is in addition to a system administrator (me) and an IT Director. We would like the help desk to have admin rights on all of the local computers to be able to assist users and install software but not have rights to the servers. We would like the help desk to be able to add computers to the domain, The domain admin accounts have full admin rights to the local servers as well as local computers. Is there any way to modify the permissions to remove rights to the servers.
 
Sort by date Sort by votes
You would want to delegate control to a new user group for these help desk people. i.e. Remove them as domain admins.

Neill
 
Upvote 0 Downvote
If you wish them to be administrators on all the client PC's, then you can do one of two methods...

1. Create a group called Client Admins on your domain. Add your help desk members to this group. Add this group to the LOCAL ADMINISTRATORS group on all the CLIENT PC's.

2. Create a group called Client Admins on your domain. Create a group policy and edit the computer policy to use a restricted group for local administrators to contain domain admins and client admins. Apply this policy to the computer container in active directory (container or OU that holds only client computers but no servers or other computers you wish to keep the client admins out of).

By doing method 1 or 2, your client admins will have local administrator rights on the client PC's.

As for adding computers to the domain, you can edit the default domain controllers group policy under computer configuration, windows settings, security settings, local policies, user rights assignment, add workstations to the domain. Add the workstation admins group. Edit the security settings on the computers container so that group will have the right to create computer objects.


Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
It wouldn't be a bad idea to change the local administrator's password on all the client PC's to a common value only known to the domain admins and the help desk. Should a PC have a network failure, you can still log into the local administrator account and have local permissions. You should make it a complex password like Drink6pack.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
138
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
189
goombawaho
goombawaho
ravalos
  • Question
Problem with PDFs in IIS
Replies
1
Views
244
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
91
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top