Re: Restrict Desktop Administrators Issue
From: Andy Cadley (ac_at_uea.ac.uk)
Date: 06/03/04
- Previous message: JuanMedia: "Re: bad logon attempts against the Unlock dialog box don't count"
- In reply to: Jason: "Restrict Desktop Administrators Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jun 2004 09:18:22 +0100
The easiest way is as follows.
1) Remove them all from the Domain Admins group
2) Delegate any required AD privileges (Create Computer Objects etc) on the
OU containing the workstations.
3) Use the Restricted Groups section of Group Policy to add Desktop Support
to the local Administrators group on the individual workstations.
Hope that helps,
AndyC
"Jason" <sittingbull7@hotmail.com> wrote in message
news:b0b3780f.0406030004.41bb6383@posting.google.com...
> I run a small Win2k native mode network with 28 servers,
> 400 desktops and 6 desktop administrators. All desktop
> admins are members of the Domain Admins group.
>
> Due to a recent change in the security policy I've been
> told to restrict my six desktop admins yet still allow
> them to administer all of the desktops, for desktop
> support purposes.
>
> I want to restrict them from logging onto the servers and
> managing user accounts. I do not want to stop them from
> managing, configuring and administering the users desktops.
>
> My earlier attempts to get this done has failed!!! I've
> added the desktop support people to a new group
> named "Desktop Support" and then I created a new group
> policy which denies them log on access to the servers OU.
> Since these guys are Domain Admins my policy restriction
> is not working. They can still logon to the servers.
>
> I thought that the deny permission was supposed to take
> priority over the allow permission. Please help as I'm
> being pressured to deliver a solution on this security
> threat.
>
> I passed the Win 2k Server Exam so I'm not at a total loss
> of NTFS permissions. I just don't know what I'm doing
> wrong here. Does this require changing ADSI info, taking
> them out of the Domain Admins group or something else?
>
> My desktop guys need to be administrators on all the
> desktops whenever they logon with their account, but I do
> not want them to be able to perform any account management
> or server administration.
>
> Thanks,
>
> Jason
- Previous message: JuanMedia: "Re: bad logon attempts against the Unlock dialog box don't count"
- In reply to: Jason: "Restrict Desktop Administrators Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
