I have a question which I hope somebody may have an answer to.
I would like to know whether there are any implications of making an
ordinary user a member of Domain Admins on a Windows 2003 domain while
at the same time placing said user into a restricted GPO.
What I would like to find out is whether by having the limitations of
the GP imposed on this user whether that would prevent said user from
being able to take advantage of the fact they're a member of Domain
Admins?
Any feedback on this would be greatly appreciated.
Re: How to change domain administrator to limited/restricted user? ... Depending on the number of users, computers, member servers and the rest of the infrastructure, I might be tempted to start over. ... If it's "a" domain administrator, then remove the user from the ... Are the individual users direct members of the Domain Admins group or members of a group added to the Domain Admins group. ... Check a workstation or two and see if the user is a member of the local workstation administrators group.... (microsoft.public.windows.server.sbs)
Re: no Domain Admin rights to a Domain Server ... If the computer is still a member of the domain with proper DNS name ... the domain it needs to be joined to the domain again and the domain admins... I can logon locally to the machine but the rights are that of a ... the server belongs to engineering and the person in charge ... (microsoft.public.win2000.security)
Re: Group Policy on a remote computer ... By default, members of Domain Admins are administrators on member computers, but not Enterprise Admins. ... The domain controller is Windows Server 2003 R2 SP2; the target computer is XP Professional SP2. ... The usual process is to create a Group Policy Object in the Domains Active Directory and link it to the OU with the target computer accounts or user accounts. ... (microsoft.public.windows.group_policy)
Re: Login Script ... helpdesk person) to not be a member of "Domain Admins", but to be able to be ... > (The user cannot add himself nor can the computer startup... > We could build a Startup script that would do this IF ... (microsoft.public.win2000.active_directory)
Re: Local Admin ... This posting is provided "AS IS" with no warranties, ... > the group that is your focus in the local Administrators group.... > like the Domain Admins group to be a member of each and every WIN2000 and ... > you might want to include the Domain Admins group..... ... (microsoft.public.windows.server.active_directory)
