Go Back   Technibble Forums > Service Solutions > Servers

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-14-2012, 09:01 PM
4ycr's Avatar
4ycr 4ycr is offline
 
Join Date: Jun 2010
Location: West Lothian, Scotland
Posts: 1,480
4ycr has a spectacular aura about4ycr has a spectacular aura about
Send a message via Skype™ to 4ycr
Default server help

I have been asked by a new company if I can make someone a local admin but restrict them so they have no access to the server.

I found this but not sure if it is what I need.

The only other option I can think of is to go round and make them a local admin on each machine leaving them standard privileges on a server which should refuse them access.

server is 2008
Reply With Quote
  #2  
Old 06-14-2012, 09:24 PM
ServiTec ServiTec is offline
 
Join Date: Sep 2010
Location: Phoenix, AZ
Posts: 8
ServiTec is an unknown quantity at this point
Default server help

Is this company using Active Directory? If they are then the idea of creating a local user account on each machine will ensure that they have no access to the server. In the case that they try to access the server they will be prompted to provide the user credentials of a domain admin account.

Last edited by ServiTec; 06-14-2012 at 09:30 PM.
Reply With Quote
  #3  
Old 06-15-2012, 01:47 AM
oldtech oldtech is offline
 
Join Date: Nov 2010
Posts: 383
oldtech will become famous soon enough
Default

All you need to do to make someone local admin on their respective PC is right click my computer or computer (win 7) select manage. Under local users select groups then right click administrators select "add to group" - enter their domain user name - click on check name and if it is good hit apply.

The user will have local admin rights on that machine only.

This allows them to configure the machine without having a domain level administrator password.
Reply With Quote
  #4  
Old 06-15-2012, 01:17 PM
ProTech-MN ProTech-MN is offline
 
Join Date: Feb 2010
Location: Blaine, MN
Posts: 330
ProTech-MN is on a distinguished road
Default

Is this for a single workstation or ALL workstations? Is this an Active Directory site?

If it's a single workstation, just add their account the local admin group on the workstation.

If it's AD and they want local admin rights on all workstations, but not the server(s), then the easiest way is to configure a group policy using Restrictive Groups.

-Randy
Reply With Quote
  #5  
Old 06-15-2012, 06:35 PM
4ycr's Avatar
4ycr 4ycr is offline
 
Join Date: Jun 2010
Location: West Lothian, Scotland
Posts: 1,480
4ycr has a spectacular aura about4ycr has a spectacular aura about
Send a message via Skype™ to 4ycr
Default

thanks pro tech I will check that out. they wanted it on all computers
Reply With Quote
  #6  
Old 06-15-2012, 07:36 PM
YeOldeStonecat's Avatar
YeOldeStonecat YeOldeStonecat is offline
 
Join Date: Nov 2011
Location: Southeast Connecticut
Posts: 7,865
YeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to behold
Default

Quote:
Originally Posted by 4ycr View Post
but restrict them so they have no access to the server.
I'm not clear what you mean by this.

Usually in SMB we add domain users to the local admin group...no SMB's want to call the IT guy at 100/hour for every tiny thing they need to install.

However...what do you mean "have no access to the server?"

Usually in SMB, shares on servers are set to the domain users group. You peel back from there. I'm just not clear what they don't want them to get on the server.
__________________
Resident "Geek on a Harley" doing IT in Southeast Connecticut
http://www.dynamic-alliance.com/
https://www.facebook.com/YeOldeStonecat
Reply With Quote
  #7  
Old 06-15-2012, 08:26 PM
krtechsolutions's Avatar
krtechsolutions krtechsolutions is online now
 
Join Date: Oct 2010
Posts: 535
krtechsolutions is on a distinguished road
Default

Create an ou within ad called workstations move all your work stations to that ou, then create an gpo and link it to that ou. Within that ou create a restricted local group called Administrators and add domain users and domain admins to this group this will make all domain users admins on the local workstation and not the servers.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:41 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.