Grant Software Install to Help Desk group

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want to be able to grant a group of users let's say 3 people the ability to install or update software on all computer workstations on the windows server 2003 active directory domain, without making these users members of the domain admins group. I am an administrator that needs to give our help desk and 2 programmers the right to local administration or ability to install software on all client workstations, but without the domain admins at the domain level. How do I do this, does anyone know the process? Thanks.
 
Create a group, call it IT Helpdesk. Add your members to this group. Then
add IT Helpdesk group to the Administrators group on each computer (you can
do this part through Group Policy - Restricted Groups).

Erasmo said:
I want to be able to grant a group of users let's say 3 people the ability
to install or update software on all computer workstations on the windows
server 2003 active directory domain, without making these users members of
the domain admins group. I am an administrator that needs to give our help
desk and 2 programmers the right to local administration or ability to
install software on all client workstations, but without the domain admins
at the domain level. How do I do this, does anyone know the process? Thanks.
 
Beware of restricted groups. It will replace rather than add to the
membership of the local administrators group.

Here's the way I do it.

First, I create a group, called "Workstation Admins" on the domain. I place
all the
workstations I want managed this way into their own OU. Then, I apply a GPO
to that OU containing a computer startup script that runs the following
line:

net localgroup administrators "mydomain\Workstation Admins" /add

Enter the "net" as the command and the rest as the parameter.

When these machines next boot, they will have the Workstation Admins group
in their local administrators group. Just place your administrative
accounts in this group and you're sorted.

The first thing to be wary of is that if a machine is removed from the OU,
nothing changes. Members of Workstation Admins will still be administrators
of the box.

The second is something that may not be obvious. You want to prevent these
people being domain admins. If they're smart, they will be domain admins
quite soon anyway. If you or other domain admins ever log into PCs that
untrusted people are local administrators or power users of, then you need
to be careful. This is common sense, but something that so many people
overlook.

Hope this helps

Oli
 
Back
Top