Re: Question about group
From: Torgeir Bakken (MVP) (Torgeir.Bakken-spam@hydro.com)
Date: 12/20/02
- Next message: Greg: "Certificate Service - Revoke Question"
- Previous message: Russ: "Security Event ID: 627, 560"
- In reply to: Ricardo M. Urbano - W2K/NT4 MVP: "Re: Question about group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> Date: Fri, 20 Dec 2002 20:33:37 +0100
Hi
It would mean that domain user can log on to any computer and get admin rights to
it. That may not be so bad if that is the policy. But would you not open the
possibility for everyone to remotly access the other computers with local admin
rights when adding YourDomain\Domain Users to YourComputer\Administrators? This
is not so good if you ask me.
This is how we have done it:
We wanted all domain users to be able to log on to any domain computer
(non-servers) with administrative rights, but not give them the right to access
other domain computers remotely with administrative rights. This was solved by
adding the built-in role "INTERACTIVE" to the local Administrators group.
For people that needs to protect their local computer from others to access it
interactivly, a 3rd party disk encryption program is installed that asks for a
password at bootup. Also, all laptops are installed with this disk encryption
program to make them secure when the users take the computers out off the office.
-- torgeir Microsoft MVP Scripting and WMI Porsgrunn Norway "Ricardo M. Urbano - W2K/NT4 MVP" wrote: > Excuse me?! The recommendation was to add the domain Domain Users group > to the local Administrators group of the machine in question. That will > do exactly what was asked: make every domain user a local admin *only* > on that particular machine. > > "Steve Riley (MSFT)" wrote: > > > > This will give *all* domain users administrative rights to *every* local > > computer. Instead, on each computer, add YourDomain\YourDomainID to > > YourComputer\Administrators. > > > > > > "Brian Desmond/469090" <desmondb@payton.cps.k12.il.us> wrote in message > > news:u#eQSK7pCHA.704@TK2MSFTNGP09... > > > Add YourDomain\Domain Users to YourComputer\Administrators from the local > > > users and groups inside computer management. This will give your users > > > administrative access to the machine.
- Next message: Greg: "Certificate Service - Revoke Question"
- Previous message: Russ: "Security Event ID: 627, 560"
- In reply to: Ricardo M. Urbano - W2K/NT4 MVP: "Re: Question about group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
