Best Default security group in AD for Tech. Support

[MaST MaX]

Hi guys

I have windows 2003 Domain in my office. I installed
Microsoft SharePoint portal server in one of member windows 2003
server. Our all technical support users are member of administrator
group so by default they get administrator rights in SharePoint portal
sites. I want to remove administrator rights from SharePoint Portal or
from AD but they should get full permissions on client's computer?

1. How can I restrict them?

2. Which is the best Default security group in AD for Tech. Support For
full permission in Client's Computers and no administrative rights?

3. Where I have to move Tech Support users?

Regards,
MaST Max

 

[Andrei Ungureanu [MVP]]

Create a separate group for Tech Support (with no rights on AD objects) and
add this to the local Administrators group on the client computers.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[MaST MaX]

Hi Andrei

Thank You for replaying

We can do this. But how come it's possible to configure all the
clients? There is approximate 300 clients in domain.

Regards,
MaST MaX

 

[Joe Richards [MVP]]

You will need to touch every machine manually or write a script to touch
them or use a startup script from a OU level policy that applies to the
client computers.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Andrei Ungureanu [MVP]]

You can use the NET LOCALGROUP command in a startup batch file to do this.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[MaST MaX]

Hi

Thank for nice tip.
Canu give some idea Where i have to make script in OU.
regard's
MaSt Max

 

[Erik Cheizoo]

You could use a (machine) GPO for this, option Restricted Groups.
In the GPO you can control the members of e.g. (Local) Administrators.
Using the GPO, add Domain Admins and the Tech Support group.

--
Kind regards,

Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================

 

[MaST MaX]

Hi
its work ! I Use script in GPO and move all Tech Support user to Tech
Support group and make Startup script to add local admin to Tech
support ( new globel group).

Tahnk you all
Regard's

MaST MaX