none
y how to configure specific rights to a security group or OU

    Question

  • I have created user called a & added into administrator group then logged from different machine but still unable to install software someone help me on this secondly how to configure specific rights to a security group or OU


    sccmghost@hotmail.com

    Sunday, February 02, 2014 1:13 PM

Answers

  • If you added the user to the built in administrators group on the SBS server (Domain Built-in Administrators), then that does not give that account permissions over any workstations on your domain.

    You will need to add that user to the administrators group of the workstations.  Like I mentioned on your other thread regarding this same type of issue, the BuiltIn\Administrators will give you admin rights on all DCs in a domain.  

    As arnavsharma has mentioned, if you want a group that you created to have administrative rights to all the workstations in a domain, or a specific OU, you'll need to make a GPO and link it.

    In that GPO, you'll establish 'Restricted Groups'.

    We've had this discussion before:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/847f252d-9e17-4eff-88b3-92b40de98f63/someone-help-me-domain-controller-built-groups-like-administrator-d?forum=winservergen

    Your question on this forum thread seems to drift a little bit.  You're looking for how to give users rights over an OU, but then you're trying to install software on a machine.

    1) OU rights have to do with user objects.  It has nothing to do with user's permissions on a workstation.  You can control user objects with no machine admin access.
    2) You can have Machine rights with no OU administration rights. 

    The machine only cares about who is in the local administrators group of that machine.  It doesn't read into OU rights.

    I hope this helps.


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**


    Sunday, February 02, 2014 2:59 PM

All replies

  • Is the administrator group added to the local admin group of the system?

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Sunday, February 02, 2014 1:21 PM
  • You can add admin group to all the client computers  by using Restricted groups in GP's : http://support.microsoft.com/kb/279301/en-us

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Sunday, February 02, 2014 1:22 PM
  • I am still not clear bit explain

    sccmghost@hotmail.com

    Sunday, February 02, 2014 1:54 PM
  • If you added the user to the built in administrators group on the SBS server (Domain Built-in Administrators), then that does not give that account permissions over any workstations on your domain.

    You will need to add that user to the administrators group of the workstations.  Like I mentioned on your other thread regarding this same type of issue, the BuiltIn\Administrators will give you admin rights on all DCs in a domain.  

    As arnavsharma has mentioned, if you want a group that you created to have administrative rights to all the workstations in a domain, or a specific OU, you'll need to make a GPO and link it.

    In that GPO, you'll establish 'Restricted Groups'.

    We've had this discussion before:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/847f252d-9e17-4eff-88b3-92b40de98f63/someone-help-me-domain-controller-built-groups-like-administrator-d?forum=winservergen

    Your question on this forum thread seems to drift a little bit.  You're looking for how to give users rights over an OU, but then you're trying to install software on a machine.

    1) OU rights have to do with user objects.  It has nothing to do with user's permissions on a workstation.  You can control user objects with no machine admin access.
    2) You can have Machine rights with no OU administration rights. 

    The machine only cares about who is in the local administrators group of that machine.  It doesn't read into OU rights.

    I hope this helps.


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**


    Sunday, February 02, 2014 2:59 PM