Hi, I was wondering if their was a way to grant a Power User access to create local user accounts without giving full admin rights?
Thanks
-
Solved Local User permissions
-
Waqkas,
Take a look at the following:
www.pwrusr.com/system-administration/3-ways-to-grant-local-admin-permissions-to-domain-users
It will offer you several different approaches which should allow you to accomplish your goal.
Cheers,
Adam
-
@adam-gordon Thanks for the suggestions. I've had a look and it seems to give the local user full admin access instead of just access to create users.
FYI this is being setup for a terminal server where users can login to a local power user and setup their own accounts via PowerShell script. I have already created the script just need to see if it's possible to lockdown this account to only create users.
I have also tried adding the user to the compmgmt security properties but the option is greyed out.
Thanks
-
Waqkas,
My apologies for not being more specific initially. So two things will potentially impact your ability to do this as noted below:
- What version of Server are you running/targeting?
Based on the answer to the question above, you may be able to use the template found here to modify permissions via group policy:
https://www.microsoft.com/en-us/download/details.aspx?id=36991
The template is supported on Servers up to 2012. I am not sure if it will work on 2016 or not, but you can try it.
If the template is not serviceable as an option due to versioning issues, then I would suggest that you look at the delegation of control wizard as discussed in the article below:
See if one, or both of those may help.
Cheers,
Adam
-
Hey @Waqkas-Ahmed ,
If the accounts being created were domain accounts, we could use the delegation wizard to give a user permissions to only create accounts. There isn't a way to delegate granular permissions on a local machine, as far as I know. The user would need local admin rights to create a local account.
Mike
Mike Rodrick
Edutainer, ITProTV**if the post above has answered the question, please mark the topic as solved.
-
Thanks guys. I've been looking around but looks like it's not possible to set this up.
