Trying to get the tech guy at work to give me some account privileges

[HeXploiT]

So I had a talk with the tech guy at my job and asked him if he would give me some account privileges so that I can do things like change system settings, update drivers and do basic system repairs as our computers frequently need caring for and the tech guy runs the server from home.
He ok'ed it but it's been two weeks now and he says he's having difficulty creating this type account with the proper privileges without giving "admin" access.

He says this is difficult to do in windows server 2008.

Is it really that difficult to make an account like this?

Is there anything I can do to help him along?

 

[Nothinman]

He's probably just trying to find an easy way to make you a local admin on all of the PCs without putting you in the Domain Admins group and I don't think there is one. Now that I think about it, it's kind of shitty that there's no Local Admins group by default in AD. He'll likely have to use a GPO or a script to add you (or a new local admin group he creates) to the local Administrators account on every machine in the domain.

 

[imagoon]

It is a one liner in AD to add local admin rights to a user without adding them to domain admins. It is done via GPO or AD groups if you use GPO to add some sort of "local admins" group to the local administrators group.

In GPO editor:
Computer config > Preferences > Control Panel Settings > Local Users and Groups

 

[stlcardinals]

It is a one liner in AD to add local admin rights to a user without adding them to domain admins. It is done via GPO or AD groups if you use GPO to add some sort of "local admins" group to the local administrators group.

In GPO editor:
Computer config > Preferences > Control Panel Settings > Local Users and Groups

That or he's giving him the run around because he really does not want to give him local admin rights.😀

 

[Nothinman]

That or he's giving him the run around because he really does not want to give him local admin rights.😀

I don't see why, I'd be ecstatic to hand off the desktop bullshit if I were in his position.

 

[zetsway]

That or he's giving him the run around because he really does not want to give him local admin rights.😀

I second that.

 

[stlcardinals]

I don't see why, I'd be ecstatic to hand off the desktop bullshit if I were in his position.

I can think of many reasons. IT security and compliance policies. Job security for the IT guy. Keep the end users from screwing things up.

If they don't have local admin rights now, then they are under some kind of policy already.

 

[Nocturnal]

I can think of many reasons. IT security and compliance policies. Job security for the IT guy. Keep the end users from screwing things up.

If they don't have local admin rights now, then they are under some kind of policy already.

Yup, what he said. Job security haha, I used to laugh at that until it happened to me.

 

[zetsway]

Yup, what he said. Job security haha, I used to laugh at that until it happened to me.

I lost so many IT jobs 🙁 I'm learning something new in a different field so I can be verstaile.

All IT people think they are gods.....They don't like people touching their pcs, servers or anything on the network for that matter. He probably just worried that you won't follow his advice to the tee. Don't take offense but I was like that too. Eventually I stop caring but some people never do.

 

[Nocturnal]

I lost so many IT jobs 🙁 I'm learning something new in a different field so I can be verstaile.

All IT people think they are gods.....They don't like people touching their pcs, servers or anything on the network for that matter. He probably just worried that you won't follow his advice to the tee. Don't take offense but I was like that too. Eventually I stop caring but some people never do.

I definitely agree with what you said about the know it alls. I definitely didn't present myself that way then nor now. I am as humble as can be and am all about learning anything and everything. I worked with many people who would finish my sentences for me or would hear me asking another person a question and run halfway across the room to blurt out an answer just because.

 

[HeXploiT]

I can think of many reasons. IT security and compliance policies. Job security for the IT guy. Keep the end users from screwing things up.

If they don't have local admin rights now, then they are under some kind of policy already.

Well in my case it's not IT security. I have express permission from the director of my organization and I'm well versed in network security. Job security I doubt because the tech told me once that he wanted to delegate some of the networking stuff to me but I turned him down because I'm not a networking guy and finally I'm not going to screw anything up as my strongpoints are hardware and software troubleshooting. Ie, half the time I'm the one telling the tech what's wrong with the system.

I definitely agree with what you said about the know it alls. I definitely didn't present myself that way then nor now. I am as humble as can be and am all about learning anything and everything. I worked with many people who would finish my sentences for me or would hear me asking another person a question and run halfway across the room to blurt out an answer just because.

I'm not going to make any judgments about the guy. I just want to know how this can be done. I can't stand not being in control of any machine I'm working on.

 

[Nothinman]

I can think of many reasons. IT security and compliance policies. Job security for the IT guy. Keep the end users from screwing things up.

If they don't have local admin rights now, then they are under some kind of policy already.

I didn't say make every user a local admin, just the OP since he asked for it. And he said the IT guy was fine with it. If company policy prohibited it, that's one thing but it doesn't seem to be applicable here.

As for job security, that's very dependent on the situation. I personally wouldn't want a job that included desktop maintenance bullshit. I end up doing it a bit here when we're tight on staff, but I've made sure everyone here knows that I'm to be considered the very last resort for that stuff and that I'm not very good at it.

All IT people think they are gods.....They don't like people touching their pcs, servers or anything on the network for that matter. He probably just worried that you won't follow his advice to the tee. Don't take offense but I was like that too. Eventually I stop caring but some people never do.

I don't consider myself a god, but I am damn good at what I do and I am very picky about people touching stuff for which I'm responsible. Especially after working at my current job because I've seen so many botched networks by half-wits that think they know what they're doing because they can click next on the SBS setup wizard. I care less these days, but I make damn sure that everyone involved knows when something is done that I don't think is right or when something was done behind my back as CYA, not doing so is just irresponsible.

 

[zetsway]

I'm not going to make any judgments about the guy. I just want to know how this can be done. I can't stand not being in control of any machine I'm working on.

LOL I totally agree. I started this new contract gig and they told me to backup their databases and websites. I'm like cool. "Can I get the local desktop password?" They said "No, you are just a contractor" hmmmm but they gave me the server password....I went back at the end of the day and I told them "Hey here is the local desktop password, so can I go ahead and install what I want." Their like "Wow, I guess we should have just given it to you, huh? You might as well. In fact why don't you take care of all of our servers".

Don't try that guys, I could've got fired but it really made me mad when I couldn't install Firefox and the tech guy wouldn't do it for me. But here they give me the passwords for their database server. LAME!!!

 

[zetsway]

I personally wouldn't want a job that included desktop maintenance bullshit. I end up doing it a bit here when we're tight on staff, but I've made sure everyone here knows that I'm to be considered the very last resort for that stuff and that I'm not very good at it.

LOL I'm the same way. I worked long and hard to get out of doing desktop junk. I'll go back if I had to but I hate it. I rather touch my servers and do website desgin. Funny thing is I use to love doing desktop support and I told myself I wouldn't in a million years be a server admin\website designer.

Funny how life turns out isn't it 🙂

I definitely agree with what you said about the know it alls. I definitely didn't present myself that way then nor now. I am as humble as can be and am all about learning anything and everything. I worked with many people who would finish my sentences for me or would hear me asking another person a question and run halfway across the room to blurt out an answer just because.

Humble people don’t say their humble LOL but I see your point

I don't consider myself a god, but I am damn good at what I do and I am very picky about people touching stuff for which I'm responsible. Especially after working at my current job because I've seen so many botched networks by half-wits that think they know what they're doing because they can click next on the SBS setup wizard. I care less these days, but I make damn sure that everyone involved knows when something is done that I don't think is right or when something was done behind my back as CYA, not doing so is just irresponsible.

I take back what I said in regards to ALL IT PEOPLE Nothinman and Nocturnal. I felt this way for a long time and I know people like this. I finally came to realize we all have our strengths and weakness. I also realize that end users aren't stupid they are just ignorant. In the OP case he should get admin rights because it will get his foot in the door if he chooses to pursue IT as a career.

 

[RebateMonger]

There's settings in standard Windows Server AD that allow an account to be designated as a Local Administrator on client PCs.

What I'd normally do is:

1) Create a special User account that will be used to log into PCs as a Local Administrator. This would be a "special" account, not your personal account. You don't really want your everyday user account to have those Local Administrator rights.

2) Create two groups (OU or whatever is appropriate in your Domain's AD structure) of PCs:
- Computers that you will be allowed access to.
- Computers you will not be allowed access to.

Usually, nobody but a Domain Administrator would be allowed Local Administrator access to the boss' computer, to Human Resources computers, etc.

3) Create a new Policy that gives this new special account Local Administrator rights to the non-boss group.

 

[Herald85]

There's settings in standard Windows Server AD that allow an account to be designated as a Local Administrator on client PCs.

What I'd normally do is:

1) Create a special User account that will be used to log into PCs as a Local Administrator. This would be a "special" account, not your personal account.

2) Create two groups (OU or whatever is appropriate in your Domain's AD structure) of PCs:
- Computers that you will be allowed access to.
- Computers you will not be allowed access to.

Usually, nobody but a Domain Administrator would be allowed Local Administrator access to the boss' computer, to Human Resources computers, etc.

3) Create a new Polciy that gives this new special account Local Administrator rights to the non-boss group.

That is exactly what I was going to say :hmm:

At work we have the following:

- Regular user: john.doe
- local admin: admin_john.doe
- domain admin: domain_john.doe

You should never give rights to users directly, always use gpo's it's the only way to keep everything organised. Link those gpo's to OU's and voila, a neat AD.

 

[HeXploiT]

There's settings in standard Windows Server AD that allow an account to be designated as a Local Administrator on client PCs.

What I'd normally do is:

1) Create a special User account that will be used to log into PCs as a Local Administrator. This would be a "special" account, not your personal account. You don't really want your everyday user account to have those Local Administrator rights.

2) Create two groups (OU or whatever is appropriate in your Domain's AD structure) of PCs:
- Computers that you will be allowed access to.
- Computers you will not be allowed access to.

Usually, nobody but a Domain Administrator would be allowed Local Administrator access to the boss' computer, to Human Resources computers, etc.

3) Create a new Polciy that gives this new special account Local Administrator rights to the non-boss group.

That is actually a great idea. Think I will present this to him. My guess is he's primarily concerned about keeping the server locked down and this would give him the power to exclude me from the server which I never access anyway.