Desktop Administrator Accounts

I need to start creating individual accounts for our help desk personnel. I
believe I have the AD Delegation working, but how do I control or give these
users the ability to logon remotely using RDP and log on deskside with admin
rights?

Hi tkutil,

create an security group called a.e. "Desktop-Admins-RDP" and assign
persmissions at clients for RDP logon permissions to this group.
You should use GPO to configure these settings on the desktops - see article
below.

More details around configuration options for RDP can you find here ->
Configure Remote Desktop
http://technet.microsoft.com/en-us/l.../bb457106.aspx

PS : on some OS's RDP need to be enabled first

Hope that helps

Regards
Ramazan

"tkutil" <> wrote in message
news:E361D98A-C1E9-43B5-AC24-...
> I need to start creating individual accounts for our help desk personnel.
> I
> believe I have the AD Delegation working, but how do I control or give
> these
> users the ability to logon remotely using RDP and log on deskside with
> admin
> rights?

If you want them to be local admins so they
can perform maintenance than you should consider using restricted groups:

To use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups


group = your group to be made local admins
member of = BUILTIN\Administrators


http://www.windowsecurity.com/articl...ed-Groups.html


http://www.microsoft.com/technet/pro...ver2003/librar...


http://www.microsoft.com/resources/d...s/xp/all/prodd...


There is absolutely nothing that has to be done on the client side.


Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.


Note: Be aware that the higher you place this setting within the domains
group policy the possibility exists it is applied to machines you may not
want it applied to. With this in mind you should try and avoid this setting
at the domain level, with the exception on the domain admins group. We have
some users who are local admins on machines and for some reason they feel
compelled to remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying users.





--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com Twitter - @pbbergs

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"tkutil" <> wrote in message
news:E361D98A-C1E9-43B5-AC24-...
>I need to start creating individual accounts for our help desk personnel. I
> believe I have the AD Delegation working, but how do I control or give
> these
> users the ability to logon remotely using RDP and log on deskside with
> admin
> rights?