Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/30/05 

Date: Thu, 30 Jun 2005 06:27:36 -0700

There are only few differences between a Power Users member
and an Administrators group member, but they are significant.
IIRC there is a read on this in the res kit
www.reskits.com

A reasonably knowlegable and resourceful Power Users member
will find a way to become an Administrators group member.

If you do nothing to prevent it then a machine local Administrators
member will be able to alter the memberships of any group on
that machine. What you can do to semi-prevent this is to use a
GPO in the AD to set a Restricted Group definition of the members
of Administrators in a GPO linked to an OU that contains those
couple machines. The machine local admin can change the members
in the Administrators group on the machines, one by one, but it will
then turn out to be temporary, and will get reset periodically due to
enforcement of the GPO. Also, depending on why they need to be
Administrators member on the machines, if it does not get in the way
of doing that, then you can also set in the GPO policies that will make
it so that they cannot get at the tools needed to change the membership
of Administrators or at the cmd prompt (but actually doing this is less
simple than it at first sounds). 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<inteltech@gmail.com> wrote in message
news:1120104450.702718.120000@o13g2000cwo.googlegroups.com...
> matt/Roger
>
> Thanks for the replies.
>
> That explains how do you it.
>
> Now is there anyway to prevent the user that i add to those accounts
> been able to add additional users to the group, or remove users?
>
> Could anyone point me to where I could find the differences between a
> Power User and an Administrator?
>

Relevant Pages

  • Re: Disabling sharing tab in client systems
    ... removing them from the power users or administrators group and making sure ... that they are only regular users. ... member of a domain group that is a member of the local administrators or ... power users group on his computer. ...
    (microsoft.public.windows.server.security)
  • Re: Help with User Groups (XP Pro)
    ... the Administrators, Power Users, Users groups. ... likely see the account you changed in the groups you expect. ... Then Removed the Administrators. ... > Welcome sign on it shows that the User is a member of an unknown group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to determine if logged on user is an Administrator?
    ... Would this work if the logged on user is not explicitly a member of the ... local Administrators group? ... Administrators group. ... The local administrators group contains the ...
    (microsoft.public.scripting.vbscript)
  • Re: Default Shares on Member Servers
    ... On the client, there are no persistent shares, and no stored credentials. ... On the member servers, the local Administrators group contains Domain\Domain ...
    (microsoft.public.windows.server.security)
  • Re: Disabling sharing tab in client systems
    ... For the OP power users can also share folders so you may want to look at ... removing them from the power users or administrators group and making sure ... Also make sure the user is not a member ... and I want to disable sharing tab for this group members. ...
    (microsoft.public.windows.server.security)