[gptalk] Re: Having 1 central user to administer workstations

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 15 Jun 2007 11:11:34 -0700

Craig,

 

Even though your helpdesk staff changes frequently having the entire
group use a single account reduces accountability and tracking.

 

I recommend the following:

 

Create a domain global or universal group called WorkstationAdmins

 

Create a OU called Workstations

 

For each workstation that you want the Jr admins to be able to manage,
move the corresponding computer account into the Workstations OU

 

Note: Do not move any server computer accounts that you do not want the
junior admins to manage and do not move any domain controller or
Exchange servers into this OU either.

 

Now I am assuming your workstations are XP right?

 

If XP- now create a group policy called WorkstationAdminGPO

 

Open that policy add the domain\workstationadmins group to the
restricted groups

 

Open the properties of this group and in the member of section add the
group "administrators"

 

Save the GPO and then link it to the Workstations OU

 

When group policy updates on those computer accounts if you review the
local administrator group you should see the Domain\WorkstationAdmins
groups.

 

Last step- as techs join the help desk group- add them to the
domain\workstationadmins.

 

Ok next last step- Now please remember that you must also secure who can
change group membership of the domain\workstationadmins group as anyone
who is a member of this group can administer and workstation in the OU.

 

If you are running Windows 2000 professional this process will change
slightly - but in the GPO instead of using the restricted group setting
you would add a computer startup script that adds the
domain\workstationadmin group to the local computer administrators
group.

 

If you added the support user or any of the junior techs to the domain
admins group- they would immediately have full admin rights on all
workstation and also all servers and Active Directory so be caution
there.

 

 

Omar

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of joakim dahl
Sent: Friday, June 15, 2007 6:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Having 1 central user to administer workstations

 

or even better add a group called "IT Support Juniors" to the
administrators group
and when the personell changes you just disable their account and add
new accounts to the group
enough about this .....




On 6/15/07, razor@xxxxxxxxxxxxxxxxxxxxxxxx <
razor@xxxxxxxxxxxxxxxxxxxxxxxx <mailto:razor@xxxxxxxxxxxxxxxxxxxxxxxx> >
wrote:

Hi Craig

Not too sure how security conscious you are about the whole thing, but
why don't 
you just make the account a member of the domain admins group? You
wouldn't need to
worry about GPO's then..

You could use restricted groups via group policy, but there are a number
of factors
to be considered - plenty of information on the net about this.. 

The other option is to create a batch file that will run at start-up via
Group
Policy. Within the .bat file, include this line:

NET LOCALGROUP Administrators "DOMAIN\Username" /ADD

Hope this helps 

Ray


On Fri Jun 15 11:18 , 'Craig Meyer' <craigmeyer8@xxxxxxxxxxx> sent:

>
>Hi all
>Please help me in my first post. I'm a newbie in GPO's so please don't
scream at 
me :-(
>I have created one user account called "Support". the reason for this
is because
the junior technicians in my company came and goes and i want to create
ONE account
so that they would be able to use the same account to work on all the
workstations 
in the network. This "Support" acccount i want to give admin rights when
someone
logs onto the workstations so that they will be able to install,
administrate the
workstations.
>I want to do this through a GPO please. In the meanwhile i have done
the 
following. I have created a GPO called
"MakeJuniorTechAdminonWorkstations" (what a
name - haha) and i have created a New OU > called it "Support" and in
that OU i
have created a user called "Support" which has normal domain user
rights. Can some 
one help me from here please to accomplish my task????Please?????
>Do i now right-click the "Support" OU and select "Create and link a GPO
here" or
where from here - Thanks for the help everyone 
>
>Craig Meyer
>
>"He had no servants - yet they called Him Master, no degrees - yet they
called Him
Teacher, no medicine - yet they called Him Healer, no army yet the Kings
feared
Him. He won no military battles yet He conquered the world. he commited
no crime 
yet they crucified Him. He was burried in a tomb yet He lives
2day...."The Live
Earth concert on the 7th July 2007, with more than 150 top musicians
Live Earth
Concert
>
>You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx
with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web
interface. Archives for the list are available at 
http://www.freelists.org/archives/gptalk/


***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************




-- 
Best regards Joakim Dahl
http://wize.spaces.msn.com 
msn joakim.dahl@xxxxxxxxx / icq 1596678 

Other related posts: