Re: Local admin group?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/07/05 

Date: Thu, 6 Jan 2005 18:40:28 -0600

No don't remove the domain admins group from the administrators group for
the domain. Create a global group of users to add the local administrators
group of the domain workstations. You can do that using Group Policy and
"restricted groups" at the Organizational Unit level where the domain
computer accounts reside. Note that you do NOT want to do it at the domain
level or they will end up being domain administrators. Using restricted
groups works well but it will remove all current users in the local
administrators groups [except built in admin] and replace it with what you
define in restricted groups. Otherwise you can use Group Policy "startup"
script and the net localgroup command to add the global group to the local
administrators group on the affected computers. The link below may
elp. --- Steve

http://www.jsiinc.com/SUBK/tip5300/rh5319.htm

"Dan Tindell" <DanTindell@Hotmail.com> wrote in message
news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
> We have an AD domain where other offices join the domain via VPN. My
> problem is in administrators. I need to give one or 2 people at each
> office the ability to have administrator priv's on all local 2k machines
> for the purpose of updates but I don't want them to have admin rights on
> our servers.
>
> My first thought was "domain admin" but that is part of the Administrators
> group.
>
> By default, with Windows 2000, when you join a domain, domain admins and
> administrators has local admin rights on that computer to do things such
> as "Windows Updates", change network settings, add programs etc. You
> can't just create a group called Local Domain Admin then add them as a
> user account with admin rights because you can't add groups... only users
> locally on each station.
>
> I thought of removing domain admins from the administrators group on the
> domain and adding those users from each office to the domain admin but I'm
> not sure that it would be the right approach or would work.
>
> Does anyone have any ideas?
>
> Thanks,
> Dan
> DanTindell@Hotmail.com
>

Relevant Pages

  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding user to Child Domain Group
    ... Domain Admins is a global group, ... "Administrators" group gives you almost full control - enough to do most day ... Others will require a seperate account. ... The reason here is that a global group is exposed to any domain that the ...
    (microsoft.public.win2000.active_directory)
  • Re: Privilege elevation not sticking
    ... If you do not have administrator control on that domain computer, ... Net localgroup administrators would show that information. ... > In AD Users & Computers on the DC I make a User a member of Domain Admins. ...
    (microsoft.public.win2000.security)
  • Re: Opening workstation event view = Access Denied
    ... You can add domain groups (or user accounts) to local groups using Restricted Groups in a GPO. ... In a domain of any size, you might NOT want the people that administer workstations to be Domain Admins. ... You can then designate which user accounts are workstation administrators without also granting them administrative rights to the whole domain. ... being a member of the Domain Admins group does NOT necesarily mean you are an administrator on the domain member computer. ...
    (microsoft.public.windows.server.active_directory)