Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tech Group Creation

Status
Not open for further replies.
dTardis

dTardis

IS-IT--Management
May 29, 2007
5
US
I need to create a security group for our techs. Currently they are domain admins, and that does not seem right to me. I would like to allow them the ability to add/remove software and printers, as well as other admin tasks on the local workstation PC’s. What I don’t want them to be able to do is get into AD (like changing account or groups in AD) or the servers. How would I do this? Or can someone please point me in the right direction for instructions on how to do this?

dTardis
 
Sort by date Sort by votes
In this case you can create a group called TechGroup (for instance) and have them added to the local administrators group on user's workstations. You are correct they do NOT need Domain Admin rights or any administrative rights specific to the domain if all they are doing is working on user's machines
 
Upvote 0 Downvote
No user account should be a domain admin except the extra domain admin account created when the domain was setup (create an extra account and disable the original).

Best practices is that NO USER should be logging into their "normal" account with domain admin rights.

I'm with itsp1965 - create a group, then delegate rights to do other tasks. You can then use a GPO with Restricted Groups to automatically add that group to the local admins group on workstations.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
I really like this idea. How would I do this????


<You can then use a GPO with Restricted Groups to automatically add that group to the local admins group on workstations.>
 
Upvote 0 Downvote
Ok I created a test OU to try this with. I put a test computer in that OU as well as my test user. I created a test GP (lots of test stuff here). In the GP I went to Computer config>Windows settings>Security Settings> Restricted Groups.
Now if I understand how this is suppose to work I needed to create a group here, and if it is the same name as an existing group on the applied computer it will over write the settings on that computer. I created a group called Administrators. I then added administrators <domainname>\Domain Admins, <domainname>\tech group. Of course domainname is our actual domain name, and the test user is part of the tech group. When I rebooted the test computer it did not appear to apply the changes. I then did a gpupdate /force. Again no changes appear to have happened.

Where do I go from here?

Thanks for all the help so far.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
149
rrmcguire
rrmcguire
phil3000
  • Locked
  • Question
Screensaver Via Group Policy
Replies
1
Views
110
markdmac
markdmac
cabraun
  • Locked
  • Question
Group Policy Question (Set System Variable)
Replies
2
Views
86
markdmac
markdmac
usrinu
  • Locked
  • Question
applied wallpaper group policy
Replies
1
Views
78
SamBones
SamBones
intel233
  • Locked
  • Question
Builtin Administrator Group
Replies
1
Views
59
juniper911
juniper911

Part and Inventory Search

Sponsor

Back
Top