Making a junior technician Local ADMIN on the domain workstations

Hi all

I need to make a junior technician local admin on the workstations in the
domain so that he can install programs, etc through a GPO. Can someone help
me to do this please? They all have win xp pro installed and log onto a
win2003 domain controller with AD.

Thanks for the help




MSExchange2003Student

Hello MSExchange2003Student,

Use Restricted groups for this.

Create a new group for the local admins, easier to add additional people
if necessary.

- Then open Active Directory Users and Computers.
- Browse to the OU that will contain the computer account objects
- Open "Properties"
- Select the Group Policy Tab
- Create a new Group Policy Object
- Edit the new object
- In the Group Policy MMC, browse to:
Computer Configuration/Windows Settings/Security Settings/Restricted Groups

- Right-Click and choose "Add Group"
Select the new created group and also add the administrator, otherwise
this account do NOT longer have local admin rights.



Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hi all
>
> I need to make a junior technician local admin on the workstations in
> the domain so that he can install programs, etc through a GPO. Can
> someone help me to do this please? They all have win xp pro installed
> and log onto a win2003 domain controller with AD.
>
> Thanks for the help
>

Thanks for your reply, i get the error below:


<Myweb> wrote in message
news:(E-Mail Removed) .com...
> Hello MSExchange2003Student,
>
> Use Restricted groups for this.
>
> Create a new group for the local admins, easier to add additional people
> if necessary.
>
> - Then open Active Directory Users and Computers. - Browse to the OU that
> will contain the computer account objects - Open "Properties" - Select the
> Group Policy Tab
After i click on the Group Policy Tab as describe above the following
message pops-up : The domain controller for group policy operations is not
availble. You may cancell this operation for this session or retry using one
of the following domain controller choices : (and then i have 3 choices)

The one with the Operations Master token for the PDC emulator
The one used by the AD Snap-ins
Use any available domain controller

Which option do i choose before i click OK - Is it normal to get this
message?


> - Create a new Group Policy Object - Edit the new object - In the Group
> Policy MMC, browse to:
> Computer Configuration/Windows Settings/Security Settings/Restricted
> Groups
> - Right-Click and choose "Add Group" Select the new created group and also
> add the administrator, otherwise this account do NOT longer have local
> admin rights.
>
>
>
> Best regards
>
> Myweb
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
>> Hi all
>>
>> I need to make a junior technician local admin on the workstations in
>> the domain so that he can install programs, etc through a GPO. Can
>> someone help me to do this please? They all have win xp pro installed
>> and log onto a win2003 domain controller with AD.
>>
>> Thanks for the help
>>
>
>

My web - i found out something interesting...pls give you input

I have 2 win2003servers. One is the fileserver and the other the exch2003
server. If i try to edit the group policy on the fileserver I get the error
which i have typed below but if i do the same on the AD on the exchange
server i do not get the error and can continue. Must i do this through AD on
the exchange server then. The colour of the AD icon on the exchange is kind
of "orange" while the colour of the one on the fileserver is "brown"

Does that help?


"MSExchange2003Student" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for your reply, i get the error below:
>
>
> <Myweb> wrote in message
> news:(E-Mail Removed) .com...
>> Hello MSExchange2003Student,
>>
>> Use Restricted groups for this.
>>
>> Create a new group for the local admins, easier to add additional people
>> if necessary.
>>
>> - Then open Active Directory Users and Computers. - Browse to the OU that
>> will contain the computer account objects - Open "Properties" - Select
>> the Group Policy Tab
> After i click on the Group Policy Tab as describe above the following
> message pops-up : The domain controller for group policy operations is not
> availble. You may cancell this operation for this session or retry using
> one of the following domain controller choices : (and then i have 3
> choices)
>
> The one with the Operations Master token for the PDC emulator
> The one used by the AD Snap-ins
> Use any available domain controller
>
> Which option do i choose before i click OK - Is it normal to get this
> message?
>
>
>> - Create a new Group Policy Object - Edit the new object - In the Group
>> Policy MMC, browse to:
>> Computer Configuration/Windows Settings/Security Settings/Restricted
>> Groups
>> - Right-Click and choose "Add Group" Select the new created group and
>> also add the administrator, otherwise this account do NOT longer have
>> local admin rights.
>>
>>
>>
>> Best regards
>>
>> Myweb
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>>
>>> Hi all
>>>
>>> I need to make a junior technician local admin on the workstations in
>>> the domain so that he can install programs, etc through a GPO. Can
>>> someone help me to do this please? They all have win xp pro installed
>>> and log onto a win2003 domain controller with AD.
>>>
>>> Thanks for the help
>>>
>>
>>
>
>

Hello MSExchange2003Student,

You have to set the policy in AD, not localy on the fileserver. If the user
should have the right in the whole domain use a policy at the Domain level.
Maybe create a new one with a special name or use the Default domain policy.
I prefer to create a new one, in case whatever happens you could just delete
the own created and you can go back to the default domain policy without
problem.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> My web - i found out something interesting...pls give you input
>
> I have 2 win2003servers. One is the fileserver and the other the
> exch2003 server. If i try to edit the group policy on the fileserver I
> get the error which i have typed below but if i do the same on the AD
> on the exchange server i do not get the error and can continue. Must i
> do this through AD on the exchange server then. The colour of the AD
> icon on the exchange is kind of "orange" while the colour of the one
> on the fileserver is "brown"
>
> Does that help?
>
> "MSExchange2003Student" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>
>> Thanks for your reply, i get the error below:
>>
>> <Myweb> wrote in message
>> news:(E-Mail Removed) .com...
>>
>>> Hello MSExchange2003Student,
>>>
>>> Use Restricted groups for this.
>>>
>>> Create a new group for the local admins, easier to add additional
>>> people if necessary.
>>>
>>> - Then open Active Directory Users and Computers. - Browse to the OU
>>> that will contain the computer account objects - Open "Properties" -
>>> Select the Group Policy Tab
>>>
>> After i click on the Group Policy Tab as describe above the following
>> message pops-up : The domain controller for group policy operations
>> is not availble. You may cancell this operation for this session or
>> retry using one of the following domain controller choices : (and
>> then i have 3 choices)
>>
>> The one with the Operations Master token for the PDC emulator
>> The one used by the AD Snap-ins
>> Use any available domain controller
>> Which option do i choose before i click OK - Is it normal to get this
>> message?
>>
>>> - Create a new Group Policy Object - Edit the new object - In the
>>> Group
>>> Policy MMC, browse to:
>>> Computer Configuration/Windows Settings/Security Settings/Restricted
>>> Groups
>>> - Right-Click and choose "Add Group" Select the new created group
>>> and
>>> also add the administrator, otherwise this account do NOT longer
>>> have
>>> local admin rights.
>>> Best regards
>>>
>>> Myweb
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>>> Hi all
>>>>
>>>> I need to make a junior technician local admin on the workstations
>>>> in the domain so that he can install programs, etc through a GPO.
>>>> Can someone help me to do this please? They all have win xp pro
>>>> installed and log onto a win2003 domain controller with AD.
>>>>
>>>> Thanks for the help
>>>>

Don't understand you saying "You have to set the policy in AD, not localy on
the fileserver." as my AD is on the fileserver and the exchange
server.??????????


"Myweb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) .com...
> Hello MSExchange2003Student,
>
> You have to set the policy in AD, not localy on the fileserver. If the
> user should have the right in the whole domain use a policy at the Domain
> level. Maybe create a new one with a special name or use the Default
> domain policy. I prefer to create a new one, in case whatever happens you
> could just delete the own created and you can go back to the default
> domain policy without problem.
>
> Best regards
>
> Myweb
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
>> My web - i found out something interesting...pls give you input
>>
>> I have 2 win2003servers. One is the fileserver and the other the
>> exch2003 server. If i try to edit the group policy on the fileserver I
>> get the error which i have typed below but if i do the same on the AD
>> on the exchange server i do not get the error and can continue. Must i
>> do this through AD on the exchange server then. The colour of the AD
>> icon on the exchange is kind of "orange" while the colour of the one
>> on the fileserver is "brown"
>>
>> Does that help?
>>
>> "MSExchange2003Student" <(E-Mail Removed)> wrote in
>> message news:(E-Mail Removed)...
>>
>>> Thanks for your reply, i get the error below:
>>>
>>> <Myweb> wrote in message
>>> news:(E-Mail Removed) .com...
>>>
>>>> Hello MSExchange2003Student,
>>>>
>>>> Use Restricted groups for this.
>>>>
>>>> Create a new group for the local admins, easier to add additional
>>>> people if necessary.
>>>>
>>>> - Then open Active Directory Users and Computers. - Browse to the OU
>>>> that will contain the computer account objects - Open "Properties" -
>>>> Select the Group Policy Tab
>>>>
>>> After i click on the Group Policy Tab as describe above the following
>>> message pops-up : The domain controller for group policy operations
>>> is not availble. You may cancell this operation for this session or
>>> retry using one of the following domain controller choices : (and
>>> then i have 3 choices)
>>>
>>> The one with the Operations Master token for the PDC emulator
>>> The one used by the AD Snap-ins
>>> Use any available domain controller
>>> Which option do i choose before i click OK - Is it normal to get this
>>> message?
>>>
>>>> - Create a new Group Policy Object - Edit the new object - In the
>>>> Group
>>>> Policy MMC, browse to:
>>>> Computer Configuration/Windows Settings/Security Settings/Restricted
>>>> Groups
>>>> - Right-Click and choose "Add Group" Select the new created group
>>>> and
>>>> also add the administrator, otherwise this account do NOT longer
>>>> have
>>>> local admin rights.
>>>> Best regards
>>>>
>>>> Myweb
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers no rights.
>>>>> Hi all
>>>>>
>>>>> I need to make a junior technician local admin on the workstations
>>>>> in the domain so that he can install programs, etc through a GPO.
>>>>> Can someone help me to do this please? They all have win xp pro
>>>>> installed and log onto a win2003 domain controller with AD.
>>>>>
>>>>> Thanks for the help
>>>>>
>
>

Hello MSExchange2003Student,

Sorry i understand from the last post that you are talking about the local
policy from the fileserver. So Active directory is your policy point.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Don't understand you saying "You have to set the policy in AD, not
> localy on the fileserver." as my AD is on the fileserver and the
> exchange server.??????????
>
> "Myweb" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) .com...
>
>> Hello MSExchange2003Student,
>>
>> You have to set the policy in AD, not localy on the fileserver. If
>> the user should have the right in the whole domain use a policy at
>> the Domain level. Maybe create a new one with a special name or use
>> the Default domain policy. I prefer to create a new one, in case
>> whatever happens you could just delete the own created and you can go
>> back to the default domain policy without problem.
>>
>> Best regards
>>
>> Myweb
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>>> My web - i found out something interesting...pls give you input
>>>
>>> I have 2 win2003servers. One is the fileserver and the other the
>>> exch2003 server. If i try to edit the group policy on the fileserver
>>> I get the error which i have typed below but if i do the same on the
>>> AD on the exchange server i do not get the error and can continue.
>>> Must i do this through AD on the exchange server then. The colour of
>>> the AD icon on the exchange is kind of "orange" while the colour of
>>> the one on the fileserver is "brown"
>>>
>>> Does that help?
>>>
>>> "MSExchange2003Student" <(E-Mail Removed)> wrote in
>>> message news:(E-Mail Removed)...
>>>
>>>> Thanks for your reply, i get the error below:
>>>>
>>>> <Myweb> wrote in message
>>>> news:(E-Mail Removed) .com...
>>>>> Hello MSExchange2003Student,
>>>>>
>>>>> Use Restricted groups for this.
>>>>>
>>>>> Create a new group for the local admins, easier to add additional
>>>>> people if necessary.
>>>>>
>>>>> - Then open Active Directory Users and Computers. - Browse to the
>>>>> OU that will contain the computer account objects - Open
>>>>> "Properties" - Select the Group Policy Tab
>>>>>
>>>> After i click on the Group Policy Tab as describe above the
>>>> following message pops-up : The domain controller for group policy
>>>> operations is not availble. You may cancell this operation for this
>>>> session or retry using one of the following domain controller
>>>> choices : (and then i have 3 choices)
>>>>
>>>> The one with the Operations Master token for the PDC emulator
>>>> The one used by the AD Snap-ins
>>>> Use any available domain controller
>>>> Which option do i choose before i click OK - Is it normal to get
>>>> this
>>>> message?
>>>>> - Create a new Group Policy Object - Edit the new object - In the
>>>>> Group
>>>>> Policy MMC, browse to:
>>>>> Computer Configuration/Windows Settings/Security
>>>>> Settings/Restricted
>>>>> Groups
>>>>> - Right-Click and choose "Add Group" Select the new created group
>>>>> and
>>>>> also add the administrator, otherwise this account do NOT longer
>>>>> have
>>>>> local admin rights.
>>>>> Best regards
>>>>> Myweb
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>>> Hi all
>>>>>>
>>>>>> I need to make a junior technician local admin on the
>>>>>> workstations in the domain so that he can install programs, etc
>>>>>> through a GPO. Can someone help me to do this please? They all
>>>>>> have win xp pro installed and log onto a win2003 domain
>>>>>> controller with AD.
>>>>>>
>>>>>> Thanks for the help
>>>>>>

OK - thanks MyWeb

"Myweb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) .com...
> Hello MSExchange2003Student,
>
> Sorry i understand from the last post that you are talking about the local
> policy from the fileserver. So Active directory is your policy point.
>
> Best regards
>
> Myweb
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
>> Don't understand you saying "You have to set the policy in AD, not
>> localy on the fileserver." as my AD is on the fileserver and the
>> exchange server.??????????
>>
>> "Myweb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) .com...
>>
>>> Hello MSExchange2003Student,
>>>
>>> You have to set the policy in AD, not localy on the fileserver. If
>>> the user should have the right in the whole domain use a policy at
>>> the Domain level. Maybe create a new one with a special name or use
>>> the Default domain policy. I prefer to create a new one, in case
>>> whatever happens you could just delete the own created and you can go
>>> back to the default domain policy without problem.
>>>
>>> Best regards
>>>
>>> Myweb
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>>> My web - i found out something interesting...pls give you input
>>>>
>>>> I have 2 win2003servers. One is the fileserver and the other the
>>>> exch2003 server. If i try to edit the group policy on the fileserver
>>>> I get the error which i have typed below but if i do the same on the
>>>> AD on the exchange server i do not get the error and can continue.
>>>> Must i do this through AD on the exchange server then. The colour of
>>>> the AD icon on the exchange is kind of "orange" while the colour of
>>>> the one on the fileserver is "brown"
>>>>
>>>> Does that help?
>>>>
>>>> "MSExchange2003Student" <(E-Mail Removed)> wrote in
>>>> message news:(E-Mail Removed)...
>>>>
>>>>> Thanks for your reply, i get the error below:
>>>>>
>>>>> <Myweb> wrote in message
>>>>> news:(E-Mail Removed) .com...
>>>>>> Hello MSExchange2003Student,
>>>>>>
>>>>>> Use Restricted groups for this.
>>>>>>
>>>>>> Create a new group for the local admins, easier to add additional
>>>>>> people if necessary.
>>>>>>
>>>>>> - Then open Active Directory Users and Computers. - Browse to the
>>>>>> OU that will contain the computer account objects - Open
>>>>>> "Properties" - Select the Group Policy Tab
>>>>>>
>>>>> After i click on the Group Policy Tab as describe above the
>>>>> following message pops-up : The domain controller for group policy
>>>>> operations is not availble. You may cancell this operation for this
>>>>> session or retry using one of the following domain controller
>>>>> choices : (and then i have 3 choices)
>>>>>
>>>>> The one with the Operations Master token for the PDC emulator
>>>>> The one used by the AD Snap-ins
>>>>> Use any available domain controller
>>>>> Which option do i choose before i click OK - Is it normal to get
>>>>> this
>>>>> message?
>>>>>> - Create a new Group Policy Object - Edit the new object - In the
>>>>>> Group
>>>>>> Policy MMC, browse to:
>>>>>> Computer Configuration/Windows Settings/Security
>>>>>> Settings/Restricted
>>>>>> Groups
>>>>>> - Right-Click and choose "Add Group" Select the new created group
>>>>>> and
>>>>>> also add the administrator, otherwise this account do NOT longer
>>>>>> have
>>>>>> local admin rights.
>>>>>> Best regards
>>>>>> Myweb
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>>> Hi all
>>>>>>>
>>>>>>> I need to make a junior technician local admin on the
>>>>>>> workstations in the domain so that he can install programs, etc
>>>>>>> through a GPO. Can someone help me to do this please? They all
>>>>>>> have win xp pro installed and log onto a win2003 domain
>>>>>>> controller with AD.
>>>>>>>
>>>>>>> Thanks for the help
>>>>>>>
>
>

Hi,

While Restricted Groups in a GPO will often work in this case, it is
not always ideal. Restricted Groups will cause the group you are
restricting to only have the members you specify in the GPO. For
example, if you set the Administrators group to be restricted to
Domain Admins and this one user, then it will remove the other members
that have been added to the group, such as other domain users who need
administrative access to the workstations. If you need the
Administrators group to ONLY contain these groups and users, then
Restricted Groups will work fine. If you don't want to remove others
who might be in the local Administrators group, you will want to use
the Net command as example shows in this link:

http://www.ss64.com/nt/net_useradmin.html

There is one caveat though, this must be run locally on the
workstation and with administrative rights. It can be embedded in a
product like Desktop Authority and run at logon, logoff, even at a
refresh interval, just like a GPO and also run with administrative
access.

If you want a good primer on Restricted Groups, you can find one here:

http://www.windowsecurity.com/articl...ed-Groups.html

Jaime Halscott
Lead Systems Engineer
ScriptLogic Corporation
http://www.scriptlogic.com

"Myweb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) .com...
> Hello MSExchange2003Student,
>
> Sorry i understand from the last post that you are talking about the local
> policy from the fileserver. So Active directory is your policy point.
>
> Best regards
>
> Myweb
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
>> Don't understand you saying "You have to set the policy in AD, not
>> localy on the fileserver." as my AD is on the fileserver and the
>> exchange server.??????????
>>
>> "Myweb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) .com...
>>
>>> Hello MSExchange2003Student,
>>>
>>> You have to set the policy in AD, not localy on the fileserver. If
>>> the user should have the right in the whole domain use a policy at
>>> the Domain level. Maybe create a new one with a special name or use
>>> the Default domain policy. I prefer to create a new one, in case
>>> whatever happens you could just delete the own created and you can go
>>> back to the default domain policy without problem.
>>>
>>> Best regards
>>>
>>> Myweb
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>>> My web - i found out something interesting...pls give you input
>>>>
>>>> I have 2 win2003servers. One is the fileserver and the other the
>>>> exch2003 server. If i try to edit the group policy on the fileserver
>>>> I get the error which i have typed below but if i do the same on the
>>>> AD on the exchange server i do not get the error and can continue.
>>>> Must i do this through AD on the exchange server then. The colour of
>>>> the AD icon on the exchange is kind of "orange" while the colour of
>>>> the one on the fileserver is "brown"
>>>>
>>>> Does that help?
>>>>
>>>> "MSExchange2003Student" <(E-Mail Removed)> wrote in
>>>> message news:(E-Mail Removed)...
>>>>
>>>>> Thanks for your reply, i get the error below:
>>>>>
>>>>> <Myweb> wrote in message
>>>>> news:(E-Mail Removed) .com...
>>>>>> Hello MSExchange2003Student,
>>>>>>
>>>>>> Use Restricted groups for this.
>>>>>>
>>>>>> Create a new group for the local admins, easier to add additional
>>>>>> people if necessary.
>>>>>>
>>>>>> - Then open Active Directory Users and Computers. - Browse to the
>>>>>> OU that will contain the computer account objects - Open
>>>>>> "Properties" - Select the Group Policy Tab
>>>>>>
>>>>> After i click on the Group Policy Tab as describe above the
>>>>> following message pops-up : The domain controller for group policy
>>>>> operations is not availble. You may cancell this operation for this
>>>>> session or retry using one of the following domain controller
>>>>> choices : (and then i have 3 choices)
>>>>>
>>>>> The one with the Operations Master token for the PDC emulator
>>>>> The one used by the AD Snap-ins
>>>>> Use any available domain controller
>>>>> Which option do i choose before i click OK - Is it normal to get
>>>>> this
>>>>> message?
>>>>>> - Create a new Group Policy Object - Edit the new object - In the
>>>>>> Group
>>>>>> Policy MMC, browse to:
>>>>>> Computer Configuration/Windows Settings/Security
>>>>>> Settings/Restricted
>>>>>> Groups
>>>>>> - Right-Click and choose "Add Group" Select the new created group
>>>>>> and
>>>>>> also add the administrator, otherwise this account do NOT longer
>>>>>> have
>>>>>> local admin rights.

Hi MyWeb

The prosedure described above does not work for my scenario. if i follow the
scenario excatly like you describe it above and go to any workstation aqnd
log in with the user then i still CANNOT install any programs - Any
help??????

>>>>>> Best regards
>>>>>> Myweb
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>>> Hi all
>>>>>>>
>>>>>>> I need to make a junior technician local admin on the
>>>>>>> workstations in the domain so that he can install programs, etc
>>>>>>> through a GPO. Can someone help me to do this please? They all
>>>>>>> have win xp pro installed and log onto a win2003 domain
>>>>>>> controller with AD.
>>>>>>>
>>>>>>> Thanks for the help
>>>>>>>
>
>