How to handle multiple Admins?

[TechieSooner]

Let's say I've got a network with 3 Server 2003 machines on it, all members of the same domain.

App Server, Domain Controller, Exchange server.

Let's say I want one administrator (actually a vendor I use) to have admin rights on anything to do with the App Server, but I don't want him in my Domain Controller or Exchange servers. How'd you suggest doing that?
He can have domain access in general (like to the administrative shares on users' PCs and such) yet I don't need them being able to access my DNS, DHCP, Exchange settings.

 

[Jeff1024]

Just give him a domain account then add that account to the local admin group on the app server. Should be that simple, or am I missing something?

 

[Burnout01]

^ What he said.

 

[Captain Colonoscopy]

Just give him a domain account then add that account to the local admin group on the app server. Should be that simple, or am I missing something?

yep, that should do the trick quite nicely.

 

[TechieSooner]

Just give him a domain account then add that account to the local admin group on the app server. Should be that simple, or am I missing something?

Alright but what about accessing the Admin shares across the network? I'd think doing that I'd still lack that ability?

 

[YeOldeStonecat]

Alright but what about accessing the Admin shares across the network? I'd think doing that I'd still lack that ability?

Add his domain account to the shares you wish to allow him to.

 

[TechieSooner]

Add his domain account to the shares you wish to allow him to.

Individually? That would be a major PITA...
Remote Registry, Administrative Shares, these sorts of things the vendor all needs access to on user PCs. I just don't want them on my other servers themselves.

 

[Jeff1024]

Add him to the local admin group on the users PC's that he needs access too as well.

 

[Captain Colonoscopy]

Make a "Local PC Admins" group in AD, add that group to the administrators group on the PCs. Add the vendor to the "Local PC Admins" group. Now you can add/remove users at will from the group and they have admin rights to the PC without having to touch it.

 

[TechieSooner]

Make a "Local PC Admins" group in AD, add that group to the administrators group on the PCs. Add the vendor to the "Local PC Admins" group. Now you can add/remove users at will from the group and they have admin rights to the PC without having to touch it.

Ahh, never thought of that.
I've been doing this as the need came up but haven't done it for each PC yet... Guess I'll get onto that. Thanks for the idea!

 

[Captain Colonoscopy]

Ahh, never thought of that.
I've been doing this as the need came up but haven't done it for each PC yet... Guess I'll get onto that. Thanks for the idea!

Yeah, I generally do this or something similar for all the clients I work for. I setup the following groups in AD and then add those groups to the local groups on the PCs when I join them to the domain. Works fairly well, add/remove domain accounts to the groups as needed and then never touch the PCs again unless you only want specific users to have rights on specific machines.

PC Admins - Local administrator group
PC Power Users - Local power users group and remote desktop users group

 

[TechieSooner]

Also what's odd if my memory serves me right, is the "Local Administrators" group that you add, in the context box it looks like you're adding a user, and then it never actually shows up (Although it does work).

PC Admins - Local administrator group
PC Power Users - Local power users group and remote desktop users group

This is something I've been overlooking.
I should have been using POWER USERS not ADMINISTRATORS. If memory serves me correctly Power Users is essentially the same thing, the users just can't access stuff they didn't create.

 

[Captain Colonoscopy]

Also what's odd if my memory serves me right, is the "Local Administrators" group that you add, in the context box it looks like you're adding a user, and then it never actually shows up (Although it does work).


This is something I've been overlooking.
I should have been using POWER USERS not ADMINISTRATORS. If memory serves me correctly Power Users is essentially the same thing, the users just can't access stuff they didn't create.

There is more to it than that. Power Users have the ability to install programs and some drivers, etc. They cannot change IP addresses on any network adapters and they can RDP in unless you add them to the Remote Users group. I can't remember off hand if they can remove software, I think they may also not be able to change certain other system settings as well.

 

[REDYOUCH]

Easy solution - deny access to the two servers via Group Policy for his specific domain admin username.

 

[TechieSooner]

Easy solution - deny access to the two servers via Group Policy for his specific domain admin username.

I hate using "Deny" functions. Just the same problem with denying permissions on shares and stuff, it's bad practice to use... I'd rather design in such a way it's never a problem.

I think the Power Users suggestion is the best one to do what I need to do!