To add a pseudo-administrative account to a domain to allow a user to
administer and maintain Windows NT workstations but not servers:
- On one of the servers in the domain:
a. Start User Manager for Domains.
b. Create a new global group (for example, WKSADMIN).
c. Add the pseudo-administrator user to the group.
- On the all workstations in the domain:
a. Start User Manager.
b. Add the new global group to the workstation's local administrator
group.
This gives the pseudo-administrator administrative rights on the
workstations in the domain but not the servers.
Once you add the new global group to all workstation's local administrator
group, you can add additional workstation administrators by adding them to
the global group on the server.
If you want the pseudo-administrators to have limited administrative
capabilities on the domain servers, add them to the Server Operators group
on a server in the domain. This allows them to shut down the server, share
and stop sharing directories, and backup and restore files. It does not
allow them to change any user attributes, add drivers, or take ownership of
files.
NOTE: While it is possible to do this in a Windows 2000 Domain, it is recommended that you use OU's (Organizational Units) to accomplish this instead. Using OU's allows better control and more granular settings for Administrators.