Re: Local Admin

From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 08/06/03 

Date: Wed, 06 Aug 2003 19:48:50 GMT

    Hi Paul. You could use "restricted groups" to accomplish this. Create an
Organizational Unit and put the computers in the OU that they need to be
local administator on. Create a new GPO for the OU and configure restricted
groups for the administrators group. Add the domain admins and any other
users or groups that need to be local administrators on those machines. Do
NOT do this at the domain level, or they will end up being domain
administrators. Be sure to implement a test setup before rolling out. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045

"Paul" <pwk_1@yahoo.co.uk> wrote in message
news:9eb501c35c38$c4ece7d0$a001280a@phx.gbl...
> I am currently setting up delegation of administrative
> control at my workplace. I am doing this to cut down on
> the number of people that are in the Domain admins group
> that don't need to be.
>
> The problem I have, is some of the people that need to be
> removed from the default Domain admins group need to have
> privileges to install software on users local machines
> when there on jobs.
>
> We have 1000 + computer and we are running Windows 2000
> with Active Directory in a Mixed mode.
>
> I don't want to have to add them to the local admins group
> on each machine, as I would be there next Christmas with
> 1000+ computers. And if I could avoid them having to log
> on locally each time as administrator that would be good.
>
> So I was wondering if someone knows of an easy way of
> doing this without giving to much administrative control,
> or keeping them in the Default Domain Administrators group.
>
> Any advice would be good advice
>
> Thanks
>
> Paul
>

Relevant Pages

  • Re: Group Policy setting for restricting creation of local user accounts
    ... if DA was not in each machine's local Administrators ... group that mimics domain admins rights minus the right to create local ... being able to create accounts on the computers. ... local computer user accounts when the computer is joined to the ...
    (microsoft.public.windows.group_policy)
  • Re: Desktop inventory Scripting Question
    ... has given me the task of maintaining inventory of all these machines. ... you can connect to the computers. ... member of the local Administrators group. ... Domain Admins can retrieve information from the computers with WMI. ...
    (microsoft.public.scripting.vbscript)
  • RE: ADMT2, cannot migrate computers, access denied
    ... domain admins group into the local administrators group on ... On Windows 2003 DC, add the Domain Admins global group ... Run ADMT tool to migrate the computers from Windows NT ...
    (microsoft.public.windows.server.migration)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: Remote Desktop Users and Least User Rights
    ... the Administrators group, the list of authorized remote users (My Computer ... Remote tab> Select Remote Users) gets wiped out. ... or you could create a simple startup script assigned via GPO to add them. ... You can create/link a new GPO at the appropriate OU where your computers ...
    (microsoft.public.windowsxp.security_admin)