Re: Global Security Group on XP Machine

For the local machine login, given that you must have this,
you could place INTERACTIVE as a member of Administrators
on each machine. Then whoever has logged in locally will be
admin on that machine during that login.

If you must give that much ground, try winning the argument
that you should not give admin when they have logged in to
a terminal services sessions, as they know nothing about how
to administer a server and could disrupt the use of terminal
services for all.

"MattRidd" <MattRidd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1EBADC84-6AF0-4458-9377-CC5C7FE8D8BB@xxxxxxxxxxxxxxxx
That is nearly what I am trying to do.
All of the 500 users have, and require, admin rights on the PC that they
are
logging onto & don't mind them having admin rights if they log onto a PC /
Server through Terminal Services. The thing that I am trying to take away
is
the ability to browse around the c$ hidden share of any PC on the network.
Personally I would rather remove their admin rights, but that is not an
option. Having 500 admins in a company of 1500 is crazy, epecially as very
few work in IT.

Hope that makes more sense?

Matt

"Nick Domukhovsky" wrote:

Hello,
I have just started at a company & their setup is a little strange.
There is a global Security group, in active directory, that is a member
of
the local administrators group. The global group has approx. 500 users
in it.
The problem that I have is the fact that as the user is a member of the
local admin group of the machine they are on, they can also browse to
other
machines on the network & have a look around the C drive.
I would like to give this group admin rights only when they are logged
on to
the local machine.
Is this possible?

Many Thanks,

Matt Riddler

I don't understand the reason for your configuration.

So you want to give any user administrator rights on a host, in which
this user log's on locally, but you don't want to give him admin rights
when he log's on from the network?



--
With best regards
Nickolay Domukhovsky, MCSA



.

Relevant Pages

  • Re: xp pro - win2k domain woes
    ... You can make the domain user account a member of the built-in administrators ... Administrators group rights in order to do this. ... > programs on their local machine as well as be a member to a win2k domain? ...
    (microsoft.public.win2000.networking)
  • Re: Creating a real administrator user
    ... To change wallpaper and unlock the taskbar, you need to be Administrator on ... the local machine. ... if you make the user a member of the Domain ... member of the local Administrators group on each computer that has joined ...
    (microsoft.public.windows.server.active_directory)
  • Re: Understanding "Administrator domain.local/builtin"
    ... "Administrators" for local machine and Domain Admins for AD administration). ... Make sure that you only have trusted people as member of these groups. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 200 server
    ... Are you saying you can make the Domain user group, ... Administrators on the domain, a member of the local Administrators group? ... > | What would be blocking this user for full admin rights on the machine whn ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Temporary Local Admin Access for Techs
    ... You can use Restricted Groups to do that, ... and use the Option This group is a member of Administrators. ... already be on the local machine. ...
    (microsoft.public.windows.server.active_directory)