Creating a Workstation only Administrator

To add a pseudo-administrative account to a domain to allow a user to administer and maintain Windows NT workstations but not servers:

  1. On one of the servers in the domain: a. Start User Manager for Domains.

    b. Create a new global group (for example, WKSADMIN).

    c. Add the pseudo-administrator user to the group.

  2. On the all workstations in the domain: a. Start User Manager.

    b. Add the new global group to the workstation's local administrator group.

This gives the pseudo-administrator administrative rights on the workstations in the domain but not the servers.

Once you add the new global group to all workstation's local administrator group, you can add additional workstation administrators by adding them to the global group on the server.

If you want the pseudo-administrators to have limited administrative capabilities on the domain servers, add them to the Server Operators group on a server in the domain. This allows them to shut down the server, share and stop sharing directories, and backup and restore files. It does not allow them to change any user attributes, add drivers, or take ownership of files.

NOTE: While it is possible to do this in a Windows 2000 Domain, it is recommended that you use OU's (Organizational Units) to accomplish this instead. Using OU's allows better control and more granular settings for Administrators.