Re: administrator rights for computer

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/14/05


Date: Wed, 14 Sep 2005 11:56:09 -0500

You could use Group Policy Restricted Groups and the "member of" option for
Windows 2000 computers using at least SP4 and XP Pro/2003 computers. When
doing this you need to create an OU with a Group Policy linked to it that
has Restricted Groups configured. Then move the computers [NOT domain
controllers however] that you want to add the global group to the local
administrators group on into that OU. You can also use Restricted Groups to
managed domain groups and you would want to do that on the domain
controllers container. I would consider domain admins to be a very sensitive
group and would consider Restricted Groups to enforce membership of that
group. You should not need very many members of the domain admins group as
much can be done with AD delegation in a domain. --- Steve

http://support.microsoft.com/default.aspx?kbid=810076 --- Resricted Groups
member of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
 --- Restricted Groups

"APJ" <APJ.1vciu1@mail.mcse.ms> wrote in message
news:APJ.1vciu1@mail.mcse.ms...
>
> Was wondering..
> Is there a way of having an AD group called 'Local PC Admin' where one
> may add domain users as members, then whichever PC these users log
> into, they obtain 'Local PC Administrator rights' on that PC during
> their session.?
> Same as the Domain Admins group members can.. only they get domain
> admin rights obviously..
> This would save having to know the username for each PC and users could
> move around as they do..
> AJ
>
>
>
> --
> APJ
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1808657.html
>