admin rights to computers

[Paul]

I have a windows 2000 AD network.

Is there a way to create a admin account that only has admin rights to
certain computers. i.e. give a user in a business office admin rights to
only the computers in the business office.

I do not want to use local admin accounts.

Thanks

Paul

 

[Rob Elder MVP-Networking]

You cannot create an admin account to do this.

If you only need to manage Ad objects (reset passwords, create users), you
place all the users and computers in a business office OU and delegate
control of the OU to a specific user or group.

 

[Oli Restorick [MVP]]

No problem. Here's how I do it.

First, I create a group, called "Workstation Admins". I place all the
workstations I want managed this way into their own OU. Then, I apply a GPO
to that OU containing a computer startup script that runs the following
line:

net localgroup administrators "mydomain\Workstation Admins" /add

Enter the "net" as the command and the rest as the parameter.

When these machines next boot, they will have the Workstation Admins group
in their local administrators group. Just place your administrative
accounts in this group and you're sorted.

There is a feature of Active Directory called "restricted groups", but it
actually overwrites the membership of the local admin groups. I don't use
it for this reason.

The only thing to be wary of is that if a machine is removed from the OU,
nothing changes. Members of Workstation Admins will still be administrators
of the box.

Hope this helps

Oli