Re: Apply policies in non AD domain
From: Doug Ozero (doug@dontlike.spam)
Date: 08/14/02
- Next message: Chris Stainer: "User/Group Administration"
- Previous message: Sooner Al: "Firewall in Windows XP"
- In reply to: Roger Abell [MVP]: "Re: Apply policies in non AD domain"
- Next in thread: Roger Abell: "Re: Apply policies in non AD domain"
- Reply: Roger Abell: "Re: Apply policies in non AD domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Doug Ozero" <doug@dontlike.spam> Date: Wed, 14 Aug 2002 09:16:40 -0700
Thanx. looks like I will have to remove him from the
local admin users group and change the password on the
local administrator account.
What would be the most security I could assign to the user
to prevent him from making security changes yet still
allow him to run programs without problems?
He will be logging in with a domain login and not a local
user account. Will the Power Users group accomplish
this? I so recall that we have had problems with some
programs before where power users wasn't enough, they
wanted to be administrator.
>-----Original Message-----
>Doug,
>
>In my experience Torgeir is pretty much right.
>If someone is admin they are admin. In an AD
>domain you could use restricted groups from a
>GPO, and the local admin would be able to only
>temporarily modify this. Outside of an AD domain,
>what you use to effect the Domain Admin membership
>and the forcing on of admin shares would be pretty
>easily reversed by the knowing local admin.
>
>--
>Roger Abell
>MS MVP (Windows Platform), MCSE, MCDBA
>Associate Expert - Windows XP ExpertZone
>http://www.microsoft.com/windowsxp/expertzone
>
>"Doug Ozero" <Doug@notrealbecuzof.spam> wrote in message
>news:09a001c24327$cc999d00$9be62ecf@tkmsftngxa03...
>> We are running both w2k and wxp in an NT4 domain. I
have
>> a "super user" who likes to muck with his system
settings
>> and lock out our domain administrators group from his
>> machine running XP pro.
>>
>> This guy is quite knowledgable about xp so i am not
>> concerned with giving him admin rights on his local
>> machine to install software etc. I would like to be
able
>> to apply some sort of policy that will automatically add
>> the domain admin group back into the local admin group
on
>> the machine and possible replace the default admin
shares
>> on the machine.
>>
>> We do not use active directory so I am not sure what the
>> best way to accomplish this is or if it is possible.
This
>> guy also knows and maintains the local administrators
>> account and password.
>>
>> Any help would be appreciated.
>>
>> thx.
>
>
>.
>
- Next message: Chris Stainer: "User/Group Administration"
- Previous message: Sooner Al: "Firewall in Windows XP"
- In reply to: Roger Abell [MVP]: "Re: Apply policies in non AD domain"
- Next in thread: Roger Abell: "Re: Apply policies in non AD domain"
- Reply: Roger Abell: "Re: Apply policies in non AD domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
