Re: System Admin - Tomasz
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 07/22/04
- Next message: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Previous message: Jeff Cochran: "Re: Client Has BIG Domain Mess... NT/2000 Conflict"
- In reply to: Craig: "System Admin - Tomasz"
- Next in thread: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Reply: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 22 Jul 2004 21:18:57 +0100
Delegation of rights allows a user or group to manipulate objects in the
Active Directory. This is distinct from having privileges at any particular
PC.
To be able to properly install software, he would need to be a member of the
local administrators group at any machine on which you want him to be able
to install software. You do not have to make him a domain admin for this.
There is a feature called "restricted groups" which allows you to control
the membership of local administrator groups. However, my preferred method
is to use group policy to run the command "net localgroup administrators
domain\mygroup /add" as a computer startup script. This will add "mygroup"
to the local administrators group..
The whole concept of a "restricted admin" is invalid. If you have the
ability to install software, you have the ability to change the software on
the PC and that could include making yourself an administrator of that PC.
Also, you also need to take into account any administrative dependencies
which may arise. For instance, if you routinely log in using a domain
administrator accounts anywhere other than domain controllers, an employee
with administrative rights to a machine where you log in with domain admin
rights could very easily elevate their privileges. This is not a weakness
in Windows. It's a weakness that many people have in their network
administration procedures.
Regards
Oli
"Craig" <crathjen@fsa.com> wrote in message
news:230301c4701a$f0242de0$a401280a@phx.gbl...
> Hi Tomasz.
> I was wondering if you could make this a bit clearer.
> This is what you replied to me on the Microsoft Newsgroup
> for Active Directory:
>
> This was discussed today on this list - You can
> accomplish this by
> forcing administrators group membership via Restricted
> Group settings in
> GPO. This option lets You specify who will be a member of
> specified
> group (for example administrators) and then force this
> setting on all
> system which are under the scope of this GPO
>
>
> The situation is this:
> We have a tech that we do not want to make him a part of
> any admin group, but yet have the capabilities of
> installing software. Is that possible? I guess I did not
> understand the "specified group" part. We do not want to
> make him part of this group (administrators). We want to
> keep him a domain user, but with the ability to install
> software (limited administrative rights). I have tested
> out a few things (delegating control, for one), but it
> doesn't seem to have the choices that I want. It seems
> that he needs to be at least a power user to the local
> pc, because I tried it with a user account locally, which
> didn't work. But when I gave him "Power user" rights, it
> seemed to work.
>
> Any ideas would be greatly appreciated.
>
>
> Thanks again for your post.
>
> Craig
- Next message: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Previous message: Jeff Cochran: "Re: Client Has BIG Domain Mess... NT/2000 Conflict"
- In reply to: Craig: "System Admin - Tomasz"
- Next in thread: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Reply: Tomasz Onyszko: "Re: System Admin - Tomasz"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
