Local Policy for Desktop Support Group

  • Thread starter Thread starter Sean
  • Start date Start date
S

Sean

I've been researching this scenario and so far have not been able to come up
with a way to do it.

I need to have a local account called DesktopSupport or something along
those lines that can install/update device drivers, use run-as to
uninstall/reinstall software that requires administrator rights (initially
deployed under admin context with SMS), etc.. however, I need to restrict
the account from being able to add members to local administrators group.

Is their a way to restrict a member of the local administrators group from
managing the local administrators group?
 
Sean said:
I've been researching this scenario and so far have not been able to come
up with a way to do it.

I need to have a local account called DesktopSupport or something along
those lines that can install/update device drivers, use run-as to
uninstall/reinstall software that requires administrator rights (initially
deployed under admin context with SMS), etc.. however, I need to restrict
the account from being able to add members to local administrators group.

Is their a way to restrict a member of the local administrators group from
managing the local administrators group?
Click to expand...

Either make them "Power Users" - which probably won't work for all software
installations, or consider using Group Policy (if you have a domain) to
define the memberships of the Administrators group. See
http://support.microsoft.com/?kbid=279301
 
Back
Top