JonR said:
I have a computer savvy educator who manages his own lab of
computers. These are on a W2k3 AD domain. All machines run Windows
XP. I want to find the most efficient way to delegate administrator
rights on these computers (and only these computers). The computers
are already in an OU.
Sorry if this sounds like a bonehead question... I've just never had
to implement it.
Thanks for your time and suggestions.
Jon
Here's my boilerplate on "How do I give a domain user local admin rights?"
.....you can tweak this to apply only to this OU, or use an additional AD
group called "Lab Computer Admins" that does, etc etc etc.
Always use AD security groups and not individual user accounts, when
assiging permissions....
--------------------------------------
Here's what I do:
Set up AD groups called LocalAdmin, LocalPowerUser, RDUser (for Remote
Desktop access)
The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDaccess /add
.........
When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself
....then remove them from the domain LocalAdmin group on the domain when
done.
You can create/link a new GPO at the appropriate OU where your computers
live
Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.
