Re: User/Group Administration
From: Roger Abell (mvpNOSPAM@asu.edu)
Date: 08/15/02
- Next message: Roger Abell: "Re: Ok this is an odd one, I call it a ghost account read on to see what I am saying"
- Previous message: Roger Abell: "Re: Yes, the file system is NTFS%%"
- In reply to: Chris Stainer: "User/Group Administration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell" <mvpNOSPAM@asu.edu> Date: Wed, 14 Aug 2002 18:59:03 -0700
"Chris Stainer" <cstainer@jscsc.org> wrote in message
news:347901c243ae$1d1a5270$9ae62ecf@tkmsftngxa02...
> Following a successful migration to Windows 2000, we are
> starting to make use of dedicated groups to administer the
> domain, i.e. Desktop Support Admins, Hardware Admins, that
> can configure and administer computers but whom are not
> members of the Domain Admins local group. However, we did
> not include the two aforementioned groups into the local
> (client) Administrators group, so they are having problems
> connecting to the workstations remotely, or install
> applications without having to use the local administrator
> account (i.e. using RunAs, etc.)
>
> Although myself and my colleagues are aware of logging
> locally, via a deskside visit or via connecting in the MMC
> (high TCO), I was wondering if anyone had a cool script
> that would allow us to remotely add the two groups into the
> local (client) Admins group, i.e. via VBScript or command-
> line batch files (low TCO), or can this be done via Group
> Policy???
>
> Any advice would be much appreciated, by myself, our
> systems administrators and our efficient helpdesk guys.
>
> Regards,
>
> Chris J. Stainer
>
The following may work for you, if you are comfortable
with all of the accounts being admins full-time on the
workstations. This is not always advisable, depending
on the size of the groups.
If the workstations are in one or more OUs, you can use
an OU linked GPO to control the membership in the local
Administrators group. Do this by defining a Restricted
Group, naming it Administrators but being careful not to
select the listed Administrators (which would be the domain
group). Keep in mind that this will control precisely what is
the membership of the Administrators group and into what
the group is itself a member, so be complete (Administrator,
Domain Admins, spare-local-acct, domain-hardware-admins,
and so forth).
-- Roger Abell MVP (Windows Platform) Associate Expert The Expert Zone - www.microsoft.com/windowsxp/expertzone
- Next message: Roger Abell: "Re: Ok this is an odd one, I call it a ghost account read on to see what I am saying"
- Previous message: Roger Abell: "Re: Yes, the file system is NTFS%%"
- In reply to: Chris Stainer: "User/Group Administration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
