Faced with a situation.need help!!

kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
You want an employee(field technician) to be able to add or remove applications or programs from all domain computers as neccessary. Which group should you make him apart of without giving out too many rights...

He is not be a admin on the domain. How can i make this happen...or deploy a group policy or what??

Trying some stuff but it wont work.

Thanks.
There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.

Comments

  • ilcram19ilcram19 Inactive Imported Users Posts: 206
    somewhere in the domain security policies
    If you stop getting better, you cease being good
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Use restricted groups and make his account a member of the local admins on the workstations.
    All things are possible, only believe.
  • thesemantheseman Member Posts: 230
    I would use restricted groups. Create a OU and group policy that encompasses all neccessary client PC's (could also do this at domain level). Using this method he could be added to the local administrator group for those client machines.


    Travis

    EDIT: Note to self, use preview button, as I am too slow icon_sad.gif
  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    well tried that it still will give out too much rights...any other way??
    He can uninstall programs but now he can add connections local users configure settings...way too much
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    If it's only MSI's then you can have MSI installs with elevated priveledges, but that applies to everyone not just him.

    You generally have to be an admin to install programs. If you don't trust this guy find someone else to do it or automate the installs remotely. Not much other choice as far as I can see.
    All things are possible, only believe.
  • ilcram19ilcram19 Inactive Imported Users Posts: 206
    u can try delagation and add the task that u want him to do
    If you stop getting better, you cease being good
  • thesemantheseman Member Posts: 230
    Delegations are more related to AD tasks (i.e. Resetting passwords, modifying group memberships).

    I have to say local admin is the way to go. Like Mark said above, if he is that untrustworthy find someone else. Local admins have full permissions to that machine, but not domain services like DNS, AD, etc.


    Travis
Sign In or Register to comment.