Re: Domain user secuirty

From: Steven L Umbach (n9rou_at_comcast.net)
Date: 10/04/03 

Date: Fri, 03 Oct 2003 22:19:58 GMT

You never want to put a regular user in the domain admins or administrators group on
a domain controller. You could put them in the local administrators group on the
domain member machines by adding their domain account to the group which will give
them no additional powers managing Active Directory or the domain. However unless you
have a real good reason to do so, I think it is a mistake. Instructors post here
quite often about the mayhem students do to their machines and other machines in the
domain including installing unauthorized software and trying to hack other users
computers. --- Steve

"David Pickett" <picasso1048@juno.com> wrote in message
news:03fd01c389e5$386ab820$a301280a@phx.gbl...
> I'm currently setting up a 2k3 standard server with AD. I
> have about 100 students loging into this system on 30
> windows 2000 computers. the instructor wants to give full
> administrative rights to the students on the client
> computers without giving them membership to the domain
> admin or Administrator group. The Idea is keep File
> security intact and deny local access to the server. Is
> there a possibilty to give admin acces to the client
> computers without compromising overall security. The y
> way I have suggested is to use the local admin account but
> that didn't fit with the instructor.

Relevant Pages

  • Re: Trouble migrating couputers (ADMT v3)
    ... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ... I've found is to write a startup script that adds the appropriate account ...
    (microsoft.public.windows.server.general)
  • Re: Trouble migrating couputers (ADMT v3)
    ... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ... I've found is to write a startup script that adds the appropriate account ...
    (microsoft.public.windows.server.general)
  • Re: Restricted Group not working as expected
    ... in the local administrators group in each of the computers in the domain. ... Add myself into a domain group called "Admin" ... I leave blank for "Members of this group". ...
    (microsoft.public.windows.group_policy)
  • Re: Trouble migrating couputers (ADMT v3)
    ... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ...
    (microsoft.public.windows.server.general)
  • Re: Rid AD of Circular Group Membership
    ... Unfortunately since the previous Admin used Restricted Groups on the Default ... Administrators group in the domain can manage the domain controllers ... and have use on members if it is used there. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)