Re: users must be local admin but this means domain admin can be locked out
From: karl [x y] (jamescagney90210@excite.com)
Date: 08/09/02
- Next message: karl [x y]: "Re: local security policy problem (virus?)"
- Previous message: Arild Bakken: "Re: users must be local admin but this means domain admin can be locked out"
- In reply to: Scott: "users must be local admin but this means domain admin can be locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Fri, 9 Aug 2002 07:12:17 -0400
"Scott" <scottscotland@yahoo.com> wrote in message
news:#fYaek4PCHA.2608@tkmsftngp10...
> Hi,
>
> Anyway, that means all users can access the USER/PASSWORD options, they
can
> also delete all entries from USER LIST and change any PASSWORD. Which
means
> I can be locked out doesn't it ?
Yes, a local admin can change and delete group permissions, and also unjoin
the computer from the domain, locking you out of the computer. They can
change local passwords but not passwords for domain users and groups that
have been added to the computer. The fix for the password issue is to join
the workstations to the domain, add the necessary domain users to a global
[or similar] group on the domain, then add the domain global group to the
appropriate local group. This way, you can still be locked out of a
workstation by having your group removed, but your password cannot be
changed. This also may simplify the management by allowing you to manage
and audit all workstation group membership from the domain instead of having
to connect to each workstation.
> If you delete the domain admin from the machine, domain admin can login,
but
> not access the user/passwords.
Worse, I believe they can remove you from all groups so that you should not
be able to log in at all... unless you use the restricted groups feature as
mentioned in the previous post.
> In addition, im setup as a domain admin yet my username is not in password
> list on my machine. Why does everyone elses name have to be in password
list
> as local admin ?
If I understand your question correctly, they don't and they shouldn't, if
you added them using a domain group instead of local accounts.
You might also try adding your users to the Power Users group instead of the
Administrators group, as described below, and see if they can still install
most of the software they need:
"Power Users --
a.. Can *create* local user accounts and groups and offer resources for
sharing across the network
b.. Can modify the users and groups *that they have created.*
c.. Can install applications, as long as the applications don't install
operating system services or modify operating system files
d.. Can create, manage and delete local printers
e.. Can modify the system clock
f.. Can stop and start system services s long as they services don't start
automatically
g.. Can remove users from the Guests, Users and Power Users groups
h.. Can't modify or delete user accounts that they did not create
i.. Can't modify membership in the Administrators or Backup Operators
groups
j.. Can't take ownership of files"
- Next message: karl [x y]: "Re: local security policy problem (virus?)"
- Previous message: Arild Bakken: "Re: users must be local admin but this means domain admin can be locked out"
- In reply to: Scott: "users must be local admin but this means domain admin can be locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
