How to make regular user a default admin for Computers under his

Tutorials Win: Microsoft Windows Forum

Hello,

On Win2003 Server I created an Organizational Unit TEAMOU and I
delegated control of it to the TEAMOU_Admins group. Under that OU I
added a Computers OU for them to add their computers. That all works
fine, but I also want them to be the default Admins of those computers
in that TEAMOU\Computers folder so that they can login remotely and
locally. I don't want to add this group to my default Domain_Admins
group. How else can I give them this ability ?

I've tried putting a GroupPolicy on TEAMOU to set the groups allowed to
login locally, through the network and through terminal services
(Administrators, Remote Deskop Users, Mydomain\TEAMOU_Admins). But as
soon as they try to login through terminal services to their machines,
they get an error about the local policy not allowing them to login
interactively.

Any hints?

Thanks

David
Top

Re: How to make regular user a default admin for Computers under hisOU ? by Meinolf

Meinolf
Fri May 09 23:21:44 PDT 2008

Hello DavidC,

Use the Restricted Groups with GPO.
http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hello,
>
> On Win2003 Server I created an Organizational Unit TEAMOU and I
> delegated control of it to the TEAMOU_Admins group. Under that OU I
> added a Computers OU for them to add their computers. That all works
> fine, but I also want them to be the default Admins of those computers
> in that TEAMOU\Computers folder so that they can login remotely and
> locally. I don't want to add this group to my default Domain_Admins
> group. How else can I give them this ability ?
>
> I've tried putting a GroupPolicy on TEAMOU to set the groups allowed
> to login locally, through the network and through terminal services
> (Administrators, Remote Deskop Users, Mydomain\TEAMOU_Admins). But as
> soon as they try to login through terminal services to their machines,
> they get an error about the local policy not allowing them to login
> interactively.
>
> Any hints?
>
> Thanks
>
> David
>


Top

Re: How to make regular user a default admin for Computers under by DavidC

DavidC
Sat May 10 10:13:30 PDT 2008

Mr. Weber,

Thanks a lot. That site explains it so clearly. It was very helpful.

Thanks!

David


Meinolf Weber wrote:
> Hello DavidC,
>
> Use the Restricted Groups with GPO.
> http://www.frickelsoft.net/blog/?p=13
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello,
>>
>> On Win2003 Server I created an Organizational Unit TEAMOU and I
>> delegated control of it to the TEAMOU_Admins group. Under that OU I
>> added a Computers OU for them to add their computers. That all works
>> fine, but I also want them to be the default Admins of those computers
>> in that TEAMOU\Computers folder so that they can login remotely and
>> locally. I don't want to add this group to my default Domain_Admins
>> group. How else can I give them this ability ?
>>
>> I've tried putting a GroupPolicy on TEAMOU to set the groups allowed
>> to login locally, through the network and through terminal services
>> (Administrators, Remote Deskop Users, Mydomain\TEAMOU_Admins). But as
>> soon as they try to login through terminal services to their machines,
>> they get an error about the local policy not allowing them to login
>> interactively.
>>
>> Any hints?
>>
>> Thanks
>>
>> David
>>
>
>
Top

Re: How to make regular user a default admin for Computers under by DavidC

DavidC
Sat May 10 11:44:36 PDT 2008

Well, I thought this was all I needed to do so that this regular user
group could have admin permissions on their machines. But I'm still
missing something because the system still doesn't let that group do
Admin tasks (change name of machine, enable/disable remote desktop, etc,
login remotely, etc).

In the group policy on the system (on the client: open mmc, add Group
Pol snap in and look at members of the Administrator group) I can see
this group being a member of the Administrators group. But yet, when I
login as one of them I cannot do any Admin related tasks.

What else do I need to do besides adding this group to the "Restricted
Groups" in the policy for this Org. Unit ? I need all their computers to
allow this group default Admin access.

David


DavidC wrote:
> Mr. Weber,
>
> Thanks a lot. That site explains it so clearly. It was very helpful.
>
> Thanks!
>
> David
>
>
> Meinolf Weber wrote:
>> Hello DavidC,
>>
>> Use the Restricted Groups with GPO.
>> http://www.frickelsoft.net/blog/?p=13
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Hello,
>>>
>>> On Win2003 Server I created an Organizational Unit TEAMOU and I
>>> delegated control of it to the TEAMOU_Admins group. Under that OU I
>>> added a Computers OU for them to add their computers. That all works
>>> fine, but I also want them to be the default Admins of those computers
>>> in that TEAMOU\Computers folder so that they can login remotely and
>>> locally. I don't want to add this group to my default Domain_Admins
>>> group. How else can I give them this ability ?
>>>
>>> I've tried putting a GroupPolicy on TEAMOU to set the groups allowed
>>> to login locally, through the network and through terminal services
>>> (Administrators, Remote Deskop Users, Mydomain\TEAMOU_Admins). But as
>>> soon as they try to login through terminal services to their machines,
>>> they get an error about the local policy not allowing them to login
>>> interactively.
>>>
>>> Any hints?
>>>
>>> Thanks
>>>
>>> David
>>>
>>
>>
Top

Re: How to make regular user a default admin for Computers under hisOU ? by Marcin

Marcin
Sat May 10 14:39:30 PDT 2008

David,
sounds like you have additional Group Policy restrictions in place, which
apply to the members of the group in question, affecting their ability to
perform the tasks you listed. You can use RSOP or gpresult while logged on
as one of accounts you are having problems with to determine whether this is
the case...

hth
Marcin

Top

Re: How to make regular user a default admin for Computers under his OU ? by Jorge

Jorge
Sat May 10 16:19:37 PDT 2008

use the restricted groups feature within a GPO, configure it and then link
the GPO to the OU (you may also use an existing)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"DavidC" <msntp@digitalfuss.net> wrote in message
news:%23WUZDgksIHA.1316@TK2MSFTNGP06.phx.gbl...
> Hello,
>
> On Win2003 Server I created an Organizational Unit TEAMOU and I
> delegated control of it to the TEAMOU_Admins group. Under that OU I added
> a Computers OU for them to add their computers. That all works fine, but I
> also want them to be the default Admins of those computers in that
> TEAMOU\Computers folder so that they can login remotely and locally. I
> don't want to add this group to my default Domain_Admins group. How else
> can I give them this ability ?
>
> I've tried putting a GroupPolicy on TEAMOU to set the groups allowed to
> login locally, through the network and through terminal services
> (Administrators, Remote Deskop Users, Mydomain\TEAMOU_Admins). But as soon
> as they try to login through terminal services to their machines, they get
> an error about the local policy not allowing them to login interactively.
>
> Any hints?
>
> Thanks
>
> David

Top