[gptalk] Re: Having 1 central user to administer workstations

  • From: "Craig Meyer" <craigmeyer8@xxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Sat, 16 Jun 2007 21:31:23 +0200

Thanks for your response Omar - i will indeed try and implement as much as i can from your post. I have win xp machines and win server 2003

Craig Meyer

"He had no servants - yet they called Him Master, no degrees - yet they called Him Teacher, no medicine - yet they called Him Healer, no army yet the Kings feared Him. He won no military battles yet He conquered the world. he commited no crime yet they crucified Him. He was burried in a tomb yet He lives 2day....?


From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
Reply-To: gptalk@xxxxxxxxxxxxx
To: <gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: Having 1 central user to administer workstations
Date: Fri, 15 Jun 2007 11:11:34 -0700

Craig,

 

Even though your helpdesk staff changes frequently having the entire group use a single account reduces accountability and tracking.

 

I recommend the following:

 

Create a domain global or universal group called WorkstationAdmins

 

Create a OU called Workstations

 

For each workstation that you want the Jr admins to be able to manage, move the corresponding computer account into the Workstations OU

 

Note: Do not move any server computer accounts that you do not want the junior admins to manage and do not move any domain controller or Exchange servers into this OU either.

 

Now I am assuming your workstations are XP right?

 

If XP- now create a group policy called WorkstationAdminGPO

 

Open that policy add the domain\workstationadmins group to the restricted groups

 

Open the properties of this group and in the member of section add the group ?administrators?

 

Save the GPO and then link it to the Workstations OU

 

When group policy updates on those computer accounts if you review the local administrator group you should see the Domain\WorkstationAdmins groups.

 

Last step- as techs join the help desk group- add them to the domain\workstationadmins.

 

Ok next last step- Now please remember that you must also secure who can change group membership of the domain\workstationadmins group as anyone who is a member of this group can administer and workstation in the OU.

 

If you are running Windows 2000 professional this process will change slightly ? but in the GPO instead of using the restricted group setting you would add a computer startup script that adds the domain\workstationadmin group to the local computer administrators group.

 

If you added the support user or any of the junior techs to the domain admins group- they would immediately have full admin rights on all workstation and also all servers and Active Directory so be caution there.

 

 

Omar

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of joakim dahl
Sent: Friday, June 15, 2007 6:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Having 1 central user to administer workstations

 

or even better add a group called "IT Support Juniors" to the administrators group
and when the personell changes you just disable their account and add new accounts to the group
enough about this .....


On 6/15/07, razor@xxxxxxxxxxxxxxxxxxxxxxxx < razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi Craig

Not too sure how security conscious you are about the whole thing, but why don't
you just make the account a member of the domain admins group? You wouldn't need to
worry about GPO's then..

You could use restricted groups via group policy, but there are a number of factors
to be considered - plenty of information on the net about this..

The other option is to create a batch file that will run at start-up via Group
Policy. Within the .bat file, include this line:

NET LOCALGROUP Administrators "DOMAIN\Username" /ADD

Hope this helps

Ray


On Fri Jun 15 11:18 , 'Craig Meyer' <craigmeyer8@xxxxxxxxxxx> sent:

>
>Hi all
>Please help me in my first post. I'm a newbie in GPO's so please don't scream at
me :-(
>I have created one user account called "Support". the reason for this is because
the junior technicians in my company came and goes and i want to create ONE account
so that they would be able to use the same account to work on all the workstations
in the network. This "Support" acccount i want to give admin rights when someone
logs onto the workstations so that they will be able to install, administrate the
workstations.
>I want to do this through a GPO please. In the meanwhile i have done the
following. I have created a GPO called "MakeJuniorTechAdminonWorkstations" (what a
name - haha) and i have created a New OU > called it "Support" and in that OU i
have created a user called "Support" which has normal domain user rights. Can some
one help me from here please to accomplish my task????Please?????
>Do i now right-click the "Support" OU and select "Create and link a GPO here" or
where from here - Thanks for the help everyone
>
>Craig Meyer
>
>"He had no servants - yet they called Him Master, no degrees - yet they called Him
Teacher, no medicine - yet they called Him Healer, no army yet the Kings feared
Him. He won no military battles yet He conquered the world. he commited no crime
yet they crucified Him. He was burried in a tomb yet He lives 2day...."The Live
Earth concert on the 7th July 2007, with more than 150 top musicians Live Earth
Concert
>
>You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx
with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web
interface. Archives for the list are available at
http://www.freelists.org/archives/gptalk/


***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************




--
Best regards Joakim Dahl
http://wize.spaces.msn.com
msn joakim.dahl@xxxxxxxxx / icq 1596678




The Live Earth concert on the 7th July 2007, with more than 150 top musicians Live Earth Concert *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/ ************************

Other related posts: