This question has to do with setting advanced user permissions on a
Windows NT domain.

Two things I want to do are:

1. Set a user so he has full administrative permissions (domain admin)
except he is not able to change the administrator password. Is this
possible or is there a better alternative?

We are trying to contract IT help and want to control the
administrator account so if relations go bad we remain in full
control.

2. I want to set clients logging into the domain on clients able to
administer their own computers fully but not have any more than Domain
User access. On Windows 2000 and XP it seems I can only have one or
the other. Full access to administration on the domain or not able to
even change basic setting and install programs on their computer.
Solution?

---

Clarification of Question by jregehr-ga on 18 Jul 2002 21:49 PDT

In regards to it-ga's question,

I don't believe there is a Power Users group in NT Server, 2000 yes,
NT no.. Right?

I really want full unrestricted access to the system and domain, but
with one restriction. I know there are some neat registry tricks for
policy edits and such and was wondering if there was such a thing
because I can imagine other people wanting to retain some control over
their systems.

Jeremy

Hi 
Your first question:
Set a user so he has full administrative permissions (domain admin)
except he is not able to change the administrator password. Is this
possible or is there a better alternative?

No, this is not possible. The Windows NT Domain Administrator Account
has the highest level of access in the Domain. It is therefore not
possible to prevent the Domain Admin from changing the password. It
sounds like you don't trust one of your Admins. Be warned: there are
many, many worse things that an Admin could do than lock you out of
the Admin account!

If your primary concern is to retain control of the Admin password,
that's easy enough. There are a host of offline password editors
availiable for windows NT. Search on Google for "NT offline password
change" without the quotes. You can also get one here:
http://home.eunet.no/~pnordahl/ntpasswd

Use at your own risk. There exists a chance that you could damage your
SAM using these tools. A more reliable tool, and the one which I would
recommend is ERD Commander, by Winternals Software:
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp

If your Admin changes the Domain Admin password, you can use these
tools to reset it. You will have to take your server down to do this,
so there will be some downtime.

Your second Question:

All you need to do is add the user name to the local administrator's
group on their workstation. This will give them local Admin access to
their machine, but no elevated access on the NT Domain.

Good luck!

Ciao!
Froggo.

Hi ,

I agree with froggo in regards to the second portion of the question -
by adding a user to the local admin group he / she will have local
admin rights but not domain level rights. I

f you're not concerned about multiple users have local admin rights to
diffrent workstations and or your're users move around from desk to
desk. I suggest creating a domain group calling it something to the
effect of global.users and adding that to the local admin group of
each workstaion.

This is less time consuming than manually going to each workstation
and adding that perticular users login id to it. The only cavet as i
mentioned earlier is that any user in "global.users" will get local
admin rights to any workstation.

In regards to the first , what permissions are you looking to grant
this user - because power users or backup administrator might
accomidate a limited permission structure which would grant the user
only what you need him / her to do.

Hope this helps in some way.

Regards

Hi

As far as I understand the question, here is my answer:

Instead of using one of NT's pre-defined groups, create your own group
with its own policy. (In W2K ayou do this with MMC, but I am a bit
rusty on NT admin!)
I.E. Instead of setting the user up as an "Administrator", create a
group with some of the administrator privalleges but not all of them!

If this helps, use it, if not, delete it!

Stephen Martindale