Re: Local admin group?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/07/05
- Next message: Roger Abell: "Re: Is every user a member of Users?"
- Previous message: Herb Martin: "Re: Is every user a member of Users?"
- In reply to: Dan Tindell: "Local admin group?"
- Next in thread: Herb Martin: "Re: Local admin group?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 Jan 2005 02:08:44 -0700
You are not well served by using Domain Admins for
anything except what it is intended for - managing the
domain. This group has broad scope of capabilities and
use of account that are members in it should be restricted.
Your observation that you cannot define a Local Admins
group and add it to Administrators implies that you are
letting people use machine local accounts instead of only
using domain accounts. If you have them use domain accounts
then you can group them into a domain local security group
and have this added to the machine local Administrators group.
I would highly recommend to you that you do not make the
accounts of those one or two people at each site special.
Their account should be as limited as any other persons'
account at that site - able to do what they need to for their
day to day activities.
Instead, make available an account that is an admin for the
use of those one or two people when, and only when, they
need to do something that requires those capabilities. Also,
audit and monitor the login/logoff events of those empowered
accounts to make sure that they are being used only when
needed and in appropriate ways.
One can manage the machine local Administrators group for
all machines in an OU by use of a Restricted Group definition
in a GPO linked to the OU - if and only if the membership in
all of those machines is to be exactly the same. Otherwise
you can use a startup script that checks for membership of
specific account or group in the machine local Administrators
group and if not present adds it/them.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dan Tindell" <DanTindell@Hotmail.com> wrote in message news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl... > We have an AD domain where other offices join the domain via VPN. My problem > is in administrators. I need to give one or 2 people at each office the > ability to have administrator priv's on all local 2k machines for the > purpose of updates but I don't want them to have admin rights on our > servers. > > My first thought was "domain admin" but that is part of the Administrators > group. > > By default, with Windows 2000, when you join a domain, domain admins and > administrators has local admin rights on that computer to do things such as > "Windows Updates", change network settings, add programs etc. You can't > just create a group called Local Domain Admin then add them as a user > account with admin rights because you can't add groups... only users locally > on each station. > > I thought of removing domain admins from the administrators group on the > domain and adding those users from each office to the domain admin but I'm > not sure that it would be the right approach or would work. > > Does anyone have any ideas? > > Thanks, > Dan > DanTindell@Hotmail.com > >
- Next message: Roger Abell: "Re: Is every user a member of Users?"
- Previous message: Herb Martin: "Re: Is every user a member of Users?"
- In reply to: Dan Tindell: "Local admin group?"
- Next in thread: Herb Martin: "Re: Local admin group?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
