Windows 2008 domain controller
Dear All, We have windows 2008 server with domain controller . It's working fine . I have more group one of the group name IT. IT group we have around 15 members . some IT members support branches System . Like remote support . The branches support engg . some time they are doing install new software or hardware . change the IP address form branches pc. Here i come to the point . All users and branches PC's member of domain controller. our branches support engg asking permission per change IP , Install software , remotely log-in to my branches servers. which permission can i give them for above purpose ? Advance Thanks Subash
July 24th, 2012 6:52am

Hi Suriya, You can make them as member of local administrator group on the clients, and workstation PC's to allow them to install the software and change IP address configuration on the client machines. If you want them only to change IP address related configuration you can add them to Network Configuration Operators group. To do this: Control panel > Administrative tools > Computer Managment > Local Users and Groups > Groups > Network Configuration Operators > (right click) Add to Group You can easily achieve this using Restricted Groups in group policy. Step by step: http://www.windowsecurity.com/articles/using-restricted-groups.html Florian's Blog How to use Restricted Groups? Part I www.frickelsoft.net/blog/?p=13 Description of Group Policy Restricted Groups support.microsoft.com/kb/279301 For remote logon permission to branch servers - you need to add a user to Remote Desktop Users group. Adding the user to the Remote Desktop users group gives them the Remote Logon Rights to machine as the Remote Desktop Users group is already a part of the GPO Allow Logon through Terminal Services. More info: http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 7:13am

To install s/w, change IP etc... users need to be part of local admin group of member servers and branch office PCs. Add the security group mentioned above in local admin group of member servers and branch office PCs. If you would like to grant privileges for the branch office admins to log on to branch office DCs, add them in Server Operators built in group. On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution. You can also use restricted groups Group Policy Restricted Groups : http://www.msresource.net/paulw/group_policy_restricted_groups.html How To Use Restricted Groups? Part I : http://www.frickelsoft.net/blog/?p=13 HTH Edit: I was Bit late... Rafic already answered. I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....
July 24th, 2012 7:21am

Dear All, Thanks for replay . we have around 125 branches near 900 PC's how can i add every users to every PC's ? pls can u say best options . i want to solve this issue . Regards Subash
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 1:18pm

Hi subashu, you can achieve this easily with the help of gpo restricted groups. Just go through the links relates to restricted groupa which i posted earlier.Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
July 24th, 2012 1:32pm

You are going to have to use the administrator group if you are trying to install software... this is dangerous for any work environment though... if you just want the IT department to be able to do this, add them to the administrator group in AD.
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 4:21pm

Hi Suriya, Yes, I agree with Allen. Don't give the user the local administrator rights. That makes them to do anything on the client workstation. Instead add your branch support engineer group or IT help desk members group to the local administrator group using restricted groups group policy. So only the branch administrator can change the IP address configuration and install the required software on the client workstations.Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
July 25th, 2012 2:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics