server help

[4ycr]

I have been asked by a new company if I can make someone a local admin but restrict them so they have no access to the server.

I found this but not sure if it is what I need.

The only other option I can think of is to go round and make them a local admin on each machine leaving them standard privileges on a server which should refuse them access.

server is 2008

[ServiTec]

Is this company using Active Directory? If they are then the idea of creating a local user account on each machine will ensure that they have no access to the server. In the case that they try to access the server they will be prompted to provide the user credentials of a domain admin account.

[oldtech]

All you need to do to make someone local admin on their respective PC is right click my computer or computer (win 7) select manage. Under local users select groups then right click administrators select "add to group" - enter their domain user name - click on check name and if it is good hit apply.

The user will have local admin rights on that machine only.

This allows them to configure the machine without having a domain level administrator password.

[ProTech-MN]

Is this for a single workstation or ALL workstations? Is this an Active Directory site?

If it's a single workstation, just add their account the local admin group on the workstation.

If it's AD and they want local admin rights on all workstations, but not the server(s), then the easiest way is to configure a group policy using Restrictive Groups.

-Randy

[4ycr]

thanks pro tech I will check that out. they wanted it on all computers

[YeOldeStonecat]

Quote:

Originally Posted by 4ycr

but restrict them so they have no access to the server.

I'm not clear what you mean by this.

Usually in SMB we add domain users to the local admin group...no SMB's want to call the IT guy at 100/hour for every tiny thing they need to install.

However...what do you mean "have no access to the server?"

Usually in SMB, shares on servers are set to the domain users group. You peel back from there. I'm just not clear what they don't want them to get on the server.

[krtechsolutions]

Create an ou within ad called workstations move all your work stations to that ou, then create an gpo and link it to that ou. Within that ou create a restricted local group called Administrators and add domain users and domain admins to this group this will make all domain users admins on the local workstation and not the servers.