There are two "levels" of admin using the domain's Administrators
group or using the Domain Admins group. Domain Admins grants
a number of things not granted by the domain's Administrators group,
such as privileges on AD objects. The domain's Administrators group
is recognized by all DCs.
I have domain with many DC, i want to grant some user administrative
rights
only on specified DC, not for entire domain. I have read KB240267
("Administrators cannot be restricted in Windows 2000" - http://support.microsoft.com/kb/240267). It's impossible for Win200, and
what
about Win2003?
RE: software to control domain administrators ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators."... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ... (Security-Basics)
Re: Settle a Administrators dispute ...Administrators Local Group on the DC but not in the Domain Admins...Global Group, the users of the Global Group do not have the same ...restricted groups policy.... (microsoft.public.windows.server.active_directory)
Re: Local admin group? ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators... > for the purpose of updates but I don't want them to have admin rights on ... (microsoft.public.win2000.security)
Re: Privilege elevation not sticking ... If you do not have administrator control on that domain computer, ...Net localgroup administrators would show that information. ... > In AD Users & Computers on the DC I make a User a member of Domain Admins.... (microsoft.public.win2000.security)
Re: Trust Relationship NT4 & W2K Domains ... That is why you would have to add them to the administrators built in group for that ... You should see that the domain admins group of a domain is already a member of the ... built in administrators group for the domain. ... > the Trust Relationship work between the NT4 Domains. ... (microsoft.public.win2000.security)
