0

I want to add another user rights to manage all domain computers. I created a group in AD called ITAdmin and added myself and this user in it.

Then I added this group to several other groups like :

  • Users -> Domain admin
  • Users -> Enterprise admin
  • Builtin -> Administrators

He still can't manage domain computers...

Do I have to add this group in the domain "Managed by" property ? Did I forget a group ?

This should be easy... Thanks for your help.

Philippe
  • 155
  • 1
  • 7

2 Answers2

3

Domain Admin should have permissions. Typically, the Administrators built-in group on a workstation lists Domain Admins group for the domain in question.

Has the user logged off and logged back on to the workstation since having rights assigned?

Open up lusrmgr.msc (Local Users and Groups) on the target workstation and ensure the domain groups in question have the required permissions on the workstation.

Adding users to Domain Admins (And Enterprise Admins, for that matter) in order to delegate local workstation admin rights is a Bad Practice.

I highly recommend delegating your 'ITAdmin' group down to all workstations for local admin access and leaving as few users as possible in Domain Admins.

blaughw
  • 2,267
  • 1
  • 11
  • 17
  • I will verify if he has logged off. Since it was not working I kept on adding rights, but I understand it's not a good practice. I will fix that. Thanks. – Philippe Jul 20 '16 at 16:35
3

What blaughw said.

You might want to look into group policy. Specifically, restricted groups--if you restrict the administrators group, this setting will add users and groups to to the administrators group as well as kicking other users and groups out--or a start up script that includes a line along the lines of net localgroup administrators yourdomain\ITAdmin /add. (You'd want to use the latter if you have other users that are local admins on specific machines only.)

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59