Home
Certification Preparation
Microsoft
MCSA / MCSE on Windows 2003 General
Server 70-290
Faced with a situation.need help!!
kenny504
You want an employee(field technician) to be able to add or remove applications or programs from all domain computers as neccessary. Which group should you make him apart of without giving out too many rights...
He is not be a admin on the domain. How can i make this happen...or deploy a group policy or what??
Trying some stuff but it wont work.
Thanks.
Find more posts tagged with
Comments
ilcram19
somewhere in the domain security policies
sprkymrk
Use restricted groups and make his account a member of the local admins on the workstations.
theseman
I would use restricted groups. Create a OU and group policy that encompasses all neccessary client PC's (could also do this at domain level). Using this method he could be added to the local administrator group for those client machines.
Travis
EDIT: Note to self, use preview button, as I am too slow
kenny504
well tried that it still will give out too much rights...any other way??
He can uninstall programs but now he can add connections local users configure settings...way too much
sprkymrk
If it's only MSI's then you can have MSI installs with elevated priveledges, but that applies to everyone not just him.
You generally have to be an admin to install programs. If you don't trust this guy find someone else to do it or automate the installs remotely. Not much other choice as far as I can see.
ilcram19
u can try delagation and add the task that u want him to do
theseman
Delegations are more related to AD tasks (i.e. Resetting passwords, modifying group memberships).
I have to say local admin is the way to go. Like Mark said above, if he is that untrustworthy find someone else. Local admins have full permissions to that machine, but not domain services like DNS, AD, etc.
Travis
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of