Re: Domain Users Group added to Local Administrators

From: Torgeir Bakken (MVP) (Torgeir.Bakken-spam_at_hydro.com)
Date: 04/26/03 

Date: Sat, 26 Apr 2003 02:18:38 +0200

"B. Goodman" wrote:

> In article <3EA995B5.D5FE80A0@hydro.com>, Torgeir.Bakken-spam@hydro.com
> says...
> > If you use social engineering, I can't see how being a local admin or not is going
> > to matter when it comes to getting yourself to be a domain admin. If this had been
> > much easier if you are a local admin I would think Microsoft had advised against
> > having users being local admins much stronger than they do now.
> >
> > And if this "fooling" is dependent on getting the domain admin to log on to your
> > computer with his domain account, it is a wise rule to *never* use your domain admin
> > account to interactively log on to somebody else's computer.
>
> Yes, it involves getting domain admins to log in locally. This is
> something I've seen even careful admins do. So I have to ask you how
> you advise admins to log into workstations for any administrative
> functions?

Hi

If you need to log into other peoples workstations for any administrative functions on the
local computer (and not the domain), there are several options, here are some:

- Log on locally using e.g. the local Administrator user

If you want to use a domain user (but not the domain admin user):

- We put the NT AUTHORITY\INTERACTIVE resource into
the local administrators group on all workstations to let all domain users
automatically become local admins. This way all domain users are automatically
local admins on whatever computer they log into interactively (from the
console). This is more secure than putting e.g. "Domain Users" in the Administrators
group, because NT AUTHORITY\INTERACTIVE will deny admin rights if you try to connect
remotely in one way or another.

If you want to limit who is able to log on with admin rights:

- Create e.g. a PCSupport group in the domain and add it to the local Administrators
group. All domain users that is member of the PCSupport group will be local admins. 

--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter

Relevant Pages

  • Re: Login Script
    ... You are making ALL users essentially admins of every ... Domain Users to Computer: Administratos. ... Have the Startup script for the computer do such installs ... >>>>> administrators' ...
    (microsoft.public.win2000.active_directory)
  • Re: domain user with local admin right
    ... admin and you are correct on choosing Restricted Groups to implement it. ... with the exception on the domain admins group. ... some users who are local admins on machines and for some reason they feel ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to alter ADAM administrative rights?
    ... Having local admins and your specific domain group both be members of the ADAM admin role is probably the way to go if you do not want the ADAM admins to be local admins on the box as well. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Admin for Desktop users
    ... Select add on the Members of this group and then ... with the exception on the domain admins group. ... some users who are local admins on machines and for some reason they feel ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enable non-admin users to access member servers or client PC
    ... the client machines they probably will require to be local admins (Not ... In order to modify server folder permissions the group needs to be ... groups like Domain Admins, Administrators, etc. ...
    (microsoft.public.windows.server.active_directory)
Quantcast