New Domain - Server 2008 - headaches already! (my own fault i am sure)

MrGuvernment

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,864
Please bear with me, sure i am going to have alot of silly posts over the next week, been pulling off 10-14 hours days, with out a day off yet over the last week getting this new office up and running.

i am just setting up our operations managers computer, and installing a client we use, unfortunately, it needs admin rights to run, heck i found out even spybot S&D needs admin rights to immunize!!

This person is computer savy, so i do want to give him rights to install programs and such, checking the built in groups, i don't see any power user group i could add him too. As a test, i added him to the Administrators group under Member Of on the DC, rebooted, but it still wouldn't work....

my domain experience is minimal right now, so what do i need to do to allow him access to use his computer and this client?
 
Are you setting up GPO's for desktop lockdowns? Also, in the ADDS when your selecting 'Administrators' I think what your doing is granting him local access to that server, you should try to add him to the Domain Admins group for your testing.

you could also use the Delegation of Control wizard, but that only applies to the server I believe, not client side computer access.
 
i do plan to have GPO once everyone is moved into this office, will happen this week.

For now the executives move in tomorrow, and since they have fresh brand new machines, i want to get them on the DC and working and just have a million other things to get done during this move.

i found one method that seemed to work as a temporary solution perhaps.

log into the system as a local admin account
Right click My Computer / Manage / Users and groups
Open the Administrator group
Add
and add the account on the domain ex HARDOCP\MrGuv

and that then gives them local admin access to the computer
 
Even this doesn't sound like a very secure tempory solution since you have a working DC at your disposal. There is no Built-in Power User group in ADDS as you've figured out thus far, but there is a way to create those same rights in a GPO, this is something I did on a 2k3 Server a while back. Create a Global Group inside a OU you wish to use. Add all necessary users you wish these Power User rights to populate on. Right click the OU -> GP Tab -> Open. From there edit the GPO from the console (assuming you have GPMC) navagate to: Computer Settings\Windows Settings\Security Settings\Restricted Groups - add the group you just created. For the Member Of... group type in "Power Users" (this will not show up if you searched for it under domain.local).

This should work, otherwise there is always the possibility of creating a logon script.
 
This is a simple problem with a simple fix. You didn't say what OS, but this works on XP and should be executed on the client machine.

Code: 
net localgroup administrators /add yourdomain\user

What this does is adds the users login account to the *local* administrators group on the workstation.

If I read the OP correctly, the way your currently doing it is granting them administrative rights on the server and possibly the entire domain.

With the above method, you can at least keep end users from doing anything on your Server/DC.
 
^^that is basically what i did, but just by clicking :D, at first i thought domain, then i was like, um, ya, well, that reallllly isnt secure..

so all i did was add their domain account to the local machines administrator group.

For me it has been one of those weeks with problem after problem and since our developers wont change the coding on our client to not need admin rights, which is has no reason to need it anyways! i have to make the changes.

once everyone is moved into our new office, i will have the proper time to lock down the DC with proper Group policies and such :D so then everyone will hate me.
 
You must log in or register to reply here.
Back
Top