Restrict Desktop Administrators Issue

From: Jason (sittingbull7_at_hotmail.com)
Date: 06/03/04 

Date: 3 Jun 2004 01:04:55 -0700

I run a small Win2k native mode network with 28 servers,
400 desktops and 6 desktop administrators. All desktop
admins are members of the Domain Admins group.

Due to a recent change in the security policy I've been
told to restrict my six desktop admins yet still allow
them to administer all of the desktops, for desktop
support purposes.

I want to restrict them from logging onto the servers and
managing user accounts. I do not want to stop them from
managing, configuring and administering the users desktops.

My earlier attempts to get this done has failed!!! I've
added the desktop support people to a new group
named "Desktop Support" and then I created a new group
policy which denies them log on access to the servers OU.
Since these guys are Domain Admins my policy restriction
is not working. They can still logon to the servers.

I thought that the deny permission was supposed to take
priority over the allow permission. Please help as I'm
being pressured to deliver a solution on this security
threat.

I passed the Win 2k Server Exam so I'm not at a total loss
of NTFS permissions. I just don't know what I'm doing
wrong here. Does this require changing ADSI info, taking
them out of the Domain Admins group or something else?

My desktop guys need to be administrators on all the
desktops whenever they logon with their account, but I do
not want them to be able to perform any account management
or server administration.

Thanks,

Jason

Relevant Pages

  • Re: Confused
    ... the members of the Domain Admins group are "administrators" of ... Who do you have in the domain "domain admins" and in the member servers ... I check the domain admins group on a dc in child ...
    (microsoft.public.win2000.active_directory)
  • Re: Privilege elevation not sticking
    ... If you do not have administrator control on that domain computer, ... Net localgroup administrators would show that information. ... > In AD Users & Computers on the DC I make a User a member of Domain Admins. ...
    (microsoft.public.win2000.security)
  • Re: securing critical member servers
    ... Once a user is in the administrators group they can do anything they choose ... we have a windows 2003 active directory and have a couple of servers ... remove regular domain admins from the possibility of administering the ... with removing normal domain admins rights. ...
    (microsoft.public.windows.server.active_directory)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.group_policy)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.security)