Nah.... That would give him access to all domain controllers, member servers and workstations. This wouldn't be acceptable security by any stretch of the imagination. Just because you trust someone with workstations doesn't mean you should trust them with anything else.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Thursday, December 04, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] No Joke. Its not the best, but then I am taking some assumptions; 1) If he is installing software on each machine individually then it isnt a big setup by any means 2) Adding one user to each machines admin groups could take a while and is a pain, even in small setups. 3) He has a backup admin account that he can use should any numpty change the admin account password 4) The chap in question can be trusted enough to do work on his own machines even if he cant be trusted with a generic password which is the same for all clients (!) 5) There is no other real way of doing this other than making him a member of one of the two admin groups (local or domain) Based on these assumptions, I'm afraid I stand by my comment. Given the assumed setup I don't see it as too much of risk, and you can always revoke privelages afterwards -----Original Message----- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: 04 December 2003 15:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I hope that last comment was a joke...as I wouldnt want a "user" to have domain admin rights. If you find a good solution for this, I would be suprised, as I have looked for a better solution than just adding the users domain account to the local admin group and cant find anything. I have been living with all "domain users" being members of their local machine admin group, and just hoping that they dont change the local admin user password. If all you are worried about is keeping the admin password so that you can get into the machine if you need...dont worry, there are always local machine administrator reset programs. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Johnson Sent: Thursday, December 04, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hi I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop. All of our clients are setup with the same local admin password and do not want him to know that password. Is this possible? He is currently just a domain user. Thank you Jerry Scicom Data Services Minnetonka,Mn List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
