Re: users removing Domain Admin from local admin group
From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 10/27/02
- Next message: Lynden Beesley: "blocking unwanted and unsolicited emails"
- Previous message: Joe Richards [MVP]: "Re: Force Password Change"
- In reply to: jes: "users removing Domain Admin from local admin group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe Richards [MVP]" <humorexpress@hotmail.com> Date: Sun, 27 Oct 2002 11:04:51 -0500
You can't set the machine up so local admins can't modify the local
administrators group. You have a couple of different ways you can tackle
this.
1. If the corporate policy is that domain admins are to be listed in the
administrators group of any machine that is part of the domain and
management backs that, then send out a global broadcast to anyone with a
machine in the domain with the following:
The corporate policy states that DOMAIN\Domain Admins group must be present
in all local administrators groups of all PC's that are members of DOMAIN.
Any machine that does not have DOMAIN\Domain Admins in the administrators
group will be removed from the domain or DISABLED.
Then send a warning to any machines that don't have domain admins in the
local admins group and that they will be losing domain privileges.
Then if they don't respond, remove them from the domain or disable the
machine account.
2. You can try to put something together to force that membership the way
you want. Depending on your company and how you do things this could be
trivial or it could be involved.
If you want a specific membership of the administrators group such as
Administrator
Domain Admins
UserID
Then you can set up a restricted policy like Daniel mentioned. Note that
that membership will be locked, you won't be able to make it special on
certain machines without removing them from that policy.
If you just want to re-add domain admins you have two options
A. Set up a startup script that adds domain admins every time the machine
reboots with the startup script having net localgroup administrators
"domain\domain admins" /add
B. Write a service that runs and constantly monitors the membership of
administrators and adjusts it when it has been changed.
I would recommend stopping the people who are doing this versus trying to
jump through a bunch of hoops to enforce it.
-- Joe Richards www.joeware.net --- "jes" <dylan619@hotmail.com> wrote in message news:a57501c279db$50b3baf0$2ae2c90a@phx.gbl... > The users in my organization all have local admin > privileges on their machines, and some of them abuse this > privilege to remove the domain admin account from the > local admin group. As we all know, the power user group > has limitations -- is there a way to tweak the security > policy so that the user has all administrative rights > EXCEPT the right to alter the administrator group? > > thanks
- Next message: Lynden Beesley: "blocking unwanted and unsolicited emails"
- Previous message: Joe Richards [MVP]: "Re: Force Password Change"
- In reply to: jes: "users removing Domain Admin from local admin group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
