none
Delegation of administrative control RRS feed

  • Question

  • How can I allow a desktop support specialist to install programs, join computers to the domain, etc. without making him/her a domain admin?  Our domain controllers are all windows server 2003.

    Wednesday, June 30, 2010 1:20 AM

Answers

  • Barry is incorrect in his statement.  (Sorry, Barry)  Well.. he's correct in that this is the default, but you have the ability to change that.  In fact, Microsoft actually allows most of us to build and join computers to the domain ourselves.  We are local admins on our PCs, too.  But we're not Domain Admins.

    "How do you do that, Kevin?"

    There are a couple of ways.  You can either use Group Policy to give your users (or members of a particular security group like a "Desktop Support Specialists" group, if you want to be more selective) the "Add Workstations to Domain" User Right, or you can delegate the ability to create computer objects to particular OUs using ADUC.

    http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

    As far as installing applications, you can either make all users local admins, or have a special security group (your "Desktop Support Specialists" group) that your desktop support specialists are members of.  Add that group to the local Administrators group on all PCs.  (that's something that, in a 2003 domain environment, you'll probably need to script.  In 2008 and newer I believe you can use Group Policy Preferences to add members to local groups.)

    I hope this helps,

    Kevin

    PS - This is not really the best forum in which to ask this question.  It is meant for IT Manager and IT Planning discussions. 


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Wednesday, June 30, 2010 11:53 AM
    Wednesday, June 30, 2010 11:52 AM

All replies

  • I'm afraid to connect computers to a domain you need to have domain admin rights so that the AD can create the computer account object. Sorry for the bad news. You could always give him a seperate "admin" account from his normal user account and disable/enable it when its specifically needed by him/her?

    Hope that helps. Barry

    Wednesday, June 30, 2010 8:06 AM
  • Barry is incorrect in his statement.  (Sorry, Barry)  Well.. he's correct in that this is the default, but you have the ability to change that.  In fact, Microsoft actually allows most of us to build and join computers to the domain ourselves.  We are local admins on our PCs, too.  But we're not Domain Admins.

    "How do you do that, Kevin?"

    There are a couple of ways.  You can either use Group Policy to give your users (or members of a particular security group like a "Desktop Support Specialists" group, if you want to be more selective) the "Add Workstations to Domain" User Right, or you can delegate the ability to create computer objects to particular OUs using ADUC.

    http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

    As far as installing applications, you can either make all users local admins, or have a special security group (your "Desktop Support Specialists" group) that your desktop support specialists are members of.  Add that group to the local Administrators group on all PCs.  (that's something that, in a 2003 domain environment, you'll probably need to script.  In 2008 and newer I believe you can use Group Policy Preferences to add members to local groups.)

    I hope this helps,

    Kevin

    PS - This is not really the best forum in which to ask this question.  It is meant for IT Manager and IT Planning discussions. 


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Wednesday, June 30, 2010 11:53 AM
    Wednesday, June 30, 2010 11:52 AM