Desktop Administrator Accounts

Discussion in 'Active Directory' started by tkutil, May 18, 2010.

  1. tkutil

    tkutil Guest

    I need to start creating individual accounts for our help desk personnel. I
    believe I have the AD Delegation working, but how do I control or give these
    users the ability to logon remotely using RDP and log on deskside with admin
    rights?
     
    tkutil, May 18, 2010
    #1
    1. Advertising

  2. tkutil

    RCan Guest

    Hi tkutil,

    create an security group called a.e. "Desktop-Admins-RDP" and assign
    persmissions at clients for RDP logon permissions to this group.
    You should use GPO to configure these settings on the desktops - see article
    below.

    More details around configuration options for RDP can you find here ->
    Configure Remote Desktop
    http://technet.microsoft.com/en-us/library/bb457106.aspx

    PS : on some OS's RDP need to be enabled first

    Hope that helps

    Regards
    Ramazan

    "tkutil" <> wrote in message
    news:...
    > I need to start creating individual accounts for our help desk personnel.
    > I
    > believe I have the AD Delegation working, but how do I control or give
    > these
    > users the ability to logon remotely using RDP and log on deskside with
    > admin
    > rights?
     
    RCan, May 18, 2010
    #2
    1. Advertising

  3. If you want them to be local admins so they
    can perform maintenance than you should consider using restricted groups:

    To use the restricted user group gpo setting


    computer configuration \ windows settings \ restricted groups


    group = your group to be made local admins
    member of = BUILTIN\Administrators


    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html


    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...


    http://www.microsoft.com/resources/documentation/windows/xp/all/prodd...


    There is absolutely nothing that has to be done on the client side.


    Create the gpo in the ou where the Computers reside (NOT the users), go to
    computer configuration/windows settings/security settings/restricted groups,
    right click on restricted groups and select new group (For the local
    computers, this group name should be - administrators) and key in the group
    you want auto populated. Select add on the Members of this group and then
    add the members you want populated.


    Note: Be aware that the higher you place this setting within the domains
    group policy the possibility exists it is applied to machines you may not
    want it applied to. With this in mind you should try and avoid this setting
    at the domain level, with the exception on the domain admins group. We have
    some users who are local admins on machines and for some reason they feel
    compelled to remove the domain admins from their local administrators group.
    Setting this at the domain level manages these annoying users.





    --
    Paul Bergson
    MVP - Directory Services
    MCITP - Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com Twitter - @pbbergs

    Please no e-mails, any questions should be posted in the NewGroups. This
    posting is provided "AS IS" with no warranties and confers no rights.
    "tkutil" <> wrote in message
    news:...
    >I need to start creating individual accounts for our help desk personnel. I
    > believe I have the AD Delegation working, but how do I control or give
    > these
    > users the ability to logon remotely using RDP and log on deskside with
    > admin
    > rights?
     
    Paul Bergson [MVP-DS], May 19, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Anderson

    Administrator vs Administrator

    Dan Anderson, Oct 22, 2006, in forum: Windows Vista Administration
    Replies:
    5
    Views:
    400
    kreed
    Oct 25, 2006
  2. Dave R.

    System Administrator vs. Application Administrator

    Dave R., Feb 12, 2007, in forum: Windows Vista Administration
    Replies:
    1
    Views:
    846
    Jimmy Brush
    Feb 13, 2007
  3. Pete

    administrator, but no administrator?!?

    Pete, May 31, 2007, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    241
    BarryD
    Jun 2, 2007
  4. Wouter

    I need Administrator rights, though I am Administrator

    Wouter, May 31, 2007, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    584
    Wouter
    Jun 3, 2007
  5. NDanielle

    All Administrator Accounts have been changed to Standard Accounts

    NDanielle, Jun 15, 2008, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    307
    NDanielle
    Jun 18, 2008
Loading...

Share This Page