User Account

  • Thread starter Thread starter Lily Mazzarulli
  • Start date Start date
L

Lily Mazzarulli

Hello,

Is it possible to create an account that gives a user local computer rights
to every users computer but not to the network? We have a Cad Manager that
needs to have rights to users machines for software installations and
troubleshooting.

TIA
 
Is it possible to create an account that gives a user local computer
rights
to every users computer but not to the network? We have a Cad Manager that
needs to have rights to users machines for software installations and
troubleshooting.
Click to expand...

What would that mean? "not to the network"? You (in some sense) don't
really
"access the network" but rather resources ON the network like servers with
file shares or printers....

Presumably, software installations would require (sometimes) Administrative
privelege. You don't have to make the user a Domain Admin but it won't be
easy unless
you use Group Policy to configure a restricted group on each machine to
include a
Group (like CadMgrInstallers) with the user.

What specifically do you wish to accomplish and what specifically do you
wish to
prevent? (Someone might be able to help with the specifics you need.)
 
Yes, we don't want the CAD manager to have administrative rights to our
network but have her user account setup to have rights on the users
computers.

I hope this makes some kind of sense.
 
Yes, we don't want the CAD manager to have administrative rights to our
network but have her user account setup to have rights on the users
computers.

I hope this makes some kind of sense.
Click to expand...

Yes, if by "network" you mean "other machines".

The following is complicated:
Create a Global Group (CADUpdate)
Add manager to that group CADUpdate
Put all machines that should be controlled by manager in an OU
(this may not work for you and you might have to do this as multiple
child OUs on existing OUs)
Create a GPO and link to OU(s)
In the GPO create a restricted group entry for the Administrator (or
other
group) on the machines
Restrict the Group to Domain Admins AND the CADUpdate (etc..?)

When the machines boot, the restricted group will allow the manager to work
the machines and not be an admin of NON-OU (unaffected by the GPO)
computers.

Note, if you don't want the manager to be an admin of ANY machine then
perhaps you have the wrong person performing the task.
 
Back
Top