Re: W2K Pro Local Admins
From: tr6boy (mcreamer@earthlink.net)
Date: 04/16/03
- Next message: Jean T. de Paula: "Add workstation to the domain"
- Previous message: Joshua Dumas: "Permissions"
- In reply to: Joe Richards [MVP]: "Re: W2K Pro Local Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "tr6boy" <mcreamer@earthlink.net> Date: Wed, 16 Apr 2003 10:28:34 -0700
Joe, once they're removed, how would they put themselves
back in? Would that not work only if they knew an account
+ password that had administrative rights locally on the
box?
>-----Original Message-----
>This is actually fairly common in larger organizations
that have
>decentralized or tightly controlled administrative
roles. There are no
>implications to removing domains admins from the
workstation and member
>server admin groups. Keep in mind that anytime the
domain admins want back
>in, they can get back in and removing them really isn't
doing much if you
>already don't trust them. However you can set up audit
policies that catch
>that add event and page people.
>
>As Torgeir mentioned, you probably shouldn't have enough
domain admins to
>make it matter anyway, we run a large globally
distributed AD forest
>comprising 9 domains, 250k users, 80k+ machines, 50k+
groups, and some 375
>or so Domain Controllers and have exactly 3 Domain
Admins, 0 domain server
>operators, 0 domain print operators. Working on client
machines is more of a
>pain in the *** for us than anything, we don't directly
support those
>machines but whether or not we are in the local admins
group completely
>depends on the local site PC support group and whether
or not they have
>removed our Domain Admins group.
>
>--
>Joe Richards
>www.joeware.net
>---
>
>"tr6boy" <mcreamer@earthlink.net> wrote in message
>news:061a01c30386$33c8e250$a001280a@phx.gbl...
>> "Managers" in my company are questioning the value of
>> having Domain Admins group in the Local Administrators
>> group of every Windows 2000 Pro machine (there are
about
>> 5000 client PCs).
>>
>> It's not enough for me to say it's like that by design,
>> or that I may need that access to fix a problem. They
are
>> proposing that a special group be created of 2 or 3
>> people that are local admins on every machine.
>>
>> My question is, what are the possible ramifications of
>> doing this? Is it a common practice? What are some
>> possible gotchas?
>>
>> Thanks for any opinions on this...if I can come up with
>> some significant potential problems, they won't do it.
My
>> thinking it's stupid isn't enough ;-)
>
>
>.
>
- Next message: Jean T. de Paula: "Add workstation to the domain"
- Previous message: Joshua Dumas: "Permissions"
- In reply to: Joe Richards [MVP]: "Re: W2K Pro Local Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
