Desktop Administrator Accounts

Discussion in 'Active Directory' started by tkutil, May 18, 2010.

  1. tkutil

    tkutil Guest

    I need to start creating individual accounts for our help desk personnel. I
    believe I have the AD Delegation working, but how do I control or give these
    users the ability to logon remotely using RDP and log on deskside with admin
    rights?
     
    tkutil, May 18, 2010
    #1
    1. Advertisements

  2. tkutil

    RCan Guest

    Hi tkutil,

    create an security group called a.e. "Desktop-Admins-RDP" and assign
    persmissions at clients for RDP logon permissions to this group.
    You should use GPO to configure these settings on the desktops - see article
    below.

    More details around configuration options for RDP can you find here ->
    Configure Remote Desktop
    http://technet.microsoft.com/en-us/library/bb457106.aspx

    PS : on some OS's RDP need to be enabled first

    Hope that helps

    Regards
    Ramazan

    "tkutil" <> wrote in message
    news:...
    > I need to start creating individual accounts for our help desk personnel.
    > I
    > believe I have the AD Delegation working, but how do I control or give
    > these
    > users the ability to logon remotely using RDP and log on deskside with
    > admin
    > rights?
     
    RCan, May 18, 2010
    #2
    1. Advertisements

  3. If you want them to be local admins so they
    can perform maintenance than you should consider using restricted groups:

    To use the restricted user group gpo setting


    computer configuration \ windows settings \ restricted groups


    group = your group to be made local admins
    member of = BUILTIN\Administrators


    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html


    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...


    http://www.microsoft.com/resources/documentation/windows/xp/all/prodd...


    There is absolutely nothing that has to be done on the client side.


    Create the gpo in the ou where the Computers reside (NOT the users), go to
    computer configuration/windows settings/security settings/restricted groups,
    right click on restricted groups and select new group (For the local
    computers, this group name should be - administrators) and key in the group
    you want auto populated. Select add on the Members of this group and then
    add the members you want populated.


    Note: Be aware that the higher you place this setting within the domains
    group policy the possibility exists it is applied to machines you may not
    want it applied to. With this in mind you should try and avoid this setting
    at the domain level, with the exception on the domain admins group. We have
    some users who are local admins on machines and for some reason they feel
    compelled to remove the domain admins from their local administrators group.
    Setting this at the domain level manages these annoying users.





    --
    Paul Bergson
    MVP - Directory Services
    MCITP - Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com Twitter - @pbbergs

    Please no e-mails, any questions should be posted in the NewGroups. This
    posting is provided "AS IS" with no warranties and confers no rights.
    "tkutil" <> wrote in message
    news:...
    >I need to start creating individual accounts for our help desk personnel. I
    > believe I have the AD Delegation working, but how do I control or give
    > these
    > users the ability to logon remotely using RDP and log on deskside with
    > admin
    > rights?
     
    Paul Bergson [MVP-DS], May 19, 2010
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Dan Anderson

    Administrator vs Administrator

    Dan Anderson, Oct 22, 2006, in forum: Windows Vista Administration
    Replies:
    5
    Views:
    807
    kreed
    Oct 25, 2006
  2. Dave R.

    System Administrator vs. Application Administrator

    Dave R., Feb 12, 2007, in forum: Windows Vista Administration
    Replies:
    1
    Views:
    1,119
    Jimmy Brush
    Feb 13, 2007
  3. Pete

    administrator, but no administrator?!?

    Pete, May 31, 2007, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    504
    BarryD
    Jun 2, 2007
  4. Wouter

    I need Administrator rights, though I am Administrator

    Wouter, May 31, 2007, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    963
    Wouter
    Jun 3, 2007
  5. Markku

    I am an administrator, but I don't have any administrator rights

    Markku, Jun 4, 2007, in forum: Windows Vista Administration
    Replies:
    3
    Views:
    1,170
    Jimmy Brush
    Jun 6, 2007
  6. rwbta

    Administrator not an administrator

    rwbta, Jun 27, 2007, in forum: Windows Vista Administration
    Replies:
    3
    Views:
    466
    rwbta
    Jun 29, 2007
  7. rainyangel175

    Change administrator name to "Administrator"

    rainyangel175, Mar 13, 2008, in forum: Windows Vista Administration
    Replies:
    8
    Views:
    497
    rainyangel175
    Mar 16, 2008
  8. NDanielle

    All Administrator Accounts have been changed to Standard Accounts

    NDanielle, Jun 15, 2008, in forum: Windows Vista Administration
    Replies:
    2
    Views:
    602
    NDanielle
    Jun 18, 2008
Loading...