Re: restricting admin access to network

From: =pathfinder= (pathfinder_at_discussions.microsoft.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 14:14:02 -0700

wooooohhhhhooooooooooooooo! you guys are geniuses. works great, thanks.

Any hope on these 2 questions?
> >> -1) How can I set the permissions so only enterprise admin can edit
> >> all GPO's? I will then delegate specific policies to specific people.
> >> 2) Can I modify the default domain GPO ACL to only have enterprise
> >> admin edit it? I see in the GPMC that I can remove the delegation
> >> to domain admins. Is this how I go about this?

"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:OdEi2dguFHA.3932@TK2MSFTNGP15.phx.gbl,
> Steven L Umbach <n9rou@nospam-comcast.net> typed:
> > First off in a root domain you really can not prevent a member of the
> > administrators group for the "domain" or domain admins group from
> > becoming whatever they want including enterprise or schema
> > administrators. You really should only need a couple of
> > administrators [or domain admins] for the domain. You can however add
> > regular domain users to the local administrators group of any domain
> > computer that is not a domain controller. You can do it via a Group
> > Policy startup script using the net localgroup command or use
> > Restricted Groups via a Group Policy linked at the OU level and then
> > add the domain computers you want them to be local administrators on
> > into that OU. You may want to use "member of" option when you do
> > this, create a global group that contains the users you want, then
> > add it to administrators. Your Windows 2000 computers will need to be
> > at SP4 for "member of" to work right. You do not have to use "member
> > of" but the other option will replace and enforce current membership
> > in the local administrators group on those domain computers which may
> > or may not be desirable for you. Once you have that make sure that
> > membership of administrators [for the domain], domain admins,
> > enterprise admins, and schemas admins is what you want and monitor it
> > closely and be sure that auditing of account management is enabled in
> > Domain Controller Security Policy so that it can help you monitor
> > changes in group membership. -- Steve
>
> When you post in here, always include your version, SP level, and mode (if
> applicable) of Outlook - you can find this information in Help | About. Also
> include the type of mail account(s) you use and any other pertinent details.
>
> .....in addition, you can add domain groups to local workstation groups....I
> usually create a group in AD called "Local Admins" and add that group to
> every workstation's local administrators group - which you can do
> centrally - and add the domain users/groups I wish to that group.
> >
> > http://www.microsoft.com/technet/security/default.mspx --- TechNet
> > Security home page
> >
> > "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> > news:D628EF43-42A6-4C6C-A231-C45BEC5D8D69@microsoft.com...
> >> I need to figure out a way to prevent the network admins from
> >> promoting themselves to enterprise/schema admins. I have already
> >> set up the restricted
> >> group, but they can still add themselves to these groups to bypass
> >> this. Questions:
> >> -1) How can I set the permissions so only enterprise admin can edit
> >> all GPO's? I will
> >> then delegate specific policies to specific people.
> >> 2) Can I modify the default domain GPO ACL to only have enterprise
> >> admin edit it? I see in the GPMC that I can remove the delegation
> >> to domain admins. Is this how I go about this?
> >> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions
> >> from my
> >> guys, but then it gets really hard for them to do their work on
> >> client PC's since they have to log in as local admin. What can I do
> >> to ease this pain and remove domain admin for a few more guys? I
> >> have added them to the administrators group in AD but that did not
> >> seem to help. 4) Right now the group "domain admins" is added to the
> >> remote tab of the system tab. Should I replace this with the
> >> "Remote Desktop Users" group? I
> >> am also considering customizing this per server, is this safe?
> >>
> >> I realize that I am not doing things the right way and that none of
> >> use should log onto every/any PC as a domain admin, but I do not
> >> have a more efficient method yet.
> >>
> >> TIA
>
>
>

Relevant Pages

  • Re: Restricting Local Admin Group w/GPO
    ... Make sure that the policy is actually applied to the computers, ... > regular users from the Local Administrators group. ...
    (microsoft.public.windows.group_policy)
  • Re: Can I add myself to Administrators group of all PCs when I log
    ... Can you tell me where can I find that policy that adds ... > users/groups to the local administrators group. ... you can perform this add a multitude of ways using a domain group ... >> use a computer startup script that does the same function by using the NET ...
    (microsoft.public.windows.server.scripting)
  • Re: Add group to local admin on client
    ... >Is there a policy setting I can use to set a group membership to a ... >client PC's Local Administrators group? ... >to be able to add via group policy to client machines in ...
    (microsoft.public.win2000.group_policy)
  • Restricted Groups GPO
    ... I need to use the Restricted Groups policy setting to enforce ... is still a need for certain workstations to be able to manually add ... people into the local Administrators group as well. ... aren't members are added, accounts that are members but aren't listed ...
    (microsoft.public.windows.server.active_directory)
  • RE: Local Goup membership
    ... can any one help me to create a scripte to list local administrators group ... on domain computers. ...
    (microsoft.public.windowsxp.wmi)