Local Policy for Desktop Support Group

[Sean]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've been researching this scenario and so far have not been able to come up
with a way to do it.

I need to have a local account called DesktopSupport or something along
those lines that can install/update device drivers, use run-as to
uninstall/reinstall software that requires administrator rights (initially
deployed under admin context with SMS), etc.. however, I need to restrict
the account from being able to add members to local administrators group.

Is their a way to restrict a member of the local administrators group from
managing the local administrators group?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Sean" <none@none.com> wrote in message
news:hKKdnZ2dnZ16vqu1nZ2dnQeJbd-dnZ2dRVn-0J2dnZ0@comcast.com...
> I've been researching this scenario and so far have not been able to come
> up with a way to do it.
>
> I need to have a local account called DesktopSupport or something along
> those lines that can install/update device drivers, use run-as to
> uninstall/reinstall software that requires administrator rights (initially
> deployed under admin context with SMS), etc.. however, I need to restrict
> the account from being able to add members to local administrators group.
>
> Is their a way to restrict a member of the local administrators group from
> managing the local administrators group?
>
>

Either make them "Power Users" - which probably won't work for all software
installations, or consider using Group Policy (if you have a domain) to
define the memberships of the Administrators group. See
http://support.microsoft.com/?kbid=279301


--
Colin Nash
Microsoft MVP
Windows Shell/User