I want to add another user rights to manage all domain computers. I created a group in AD called ITAdmin and added myself and this user in it.
Then I added this group to several other groups like :
- Users -> Domain admin
- Users -> Enterprise admin
- Builtin -> Administrators
He still can't manage domain computers...
Do I have to add this group in the domain "Managed by" property ? Did I forget a group ?
This should be easy... Thanks for your help.
Domain Admin should have permissions. Typically, the Administrators built-in group on a workstation lists Domain Admins group for the domain in question.
Has the user logged off and logged back on to the workstation since having rights assigned?
Open up lusrmgr.msc (Local Users and Groups) on the target workstation and ensure the domain groups in question have the required permissions on the workstation.
Adding users to Domain Admins (And Enterprise Admins, for that matter) in order to delegate local workstation admin rights is a Bad Practice.
I highly recommend delegating your 'ITAdmin' group down to all workstations for local admin access and leaving as few users as possible in Domain Admins.
What blaughw said.
You might want to look into group policy. Specifically, restricted groups--if you restrict the administrators group, this setting will add users and groups to to the administrators group as well as kicking other users and groups out--or a start up script that includes a line along the lines of
net localgroup administrators yourdomain\ITAdmin /add. (You'd want to use the latter if you have other users that are local admins on specific machines only.)