Re: Restrict Desktop Administrators Issue
From: Shenan Stanley (news_helper_at_hushmail.com)
Date: 06/03/04
- Previous message: Jan: "RE: disabling group policy item doesnt work"
- In reply to: Jason: "Restrict Desktop Administrators Issue"
- Next in thread: Andy Cadley: "Re: Restrict Desktop Administrators Issue"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 3 Jun 2004 03:14:18 -0500
Jason wrote:
> I run a small Win2k native mode network with 28 servers,
> 400 desktops and 6 desktop administrators. All desktop
> admins are members of the Domain Admins group.
>
> Due to a recent change in the security policy I've been
> told to restrict my six desktop admins yet still allow
> them to administer all of the desktops, for desktop
> support purposes.
>
> I want to restrict them from logging onto the servers and
> managing user accounts. I do not want to stop them from
> managing, configuring and administering the users desktops.
>
> My earlier attempts to get this done has failed!!! I've
> added the desktop support people to a new group
> named "Desktop Support" and then I created a new group
> policy which denies them log on access to the servers OU.
> Since these guys are Domain Admins my policy restriction
> is not working. They can still logon to the servers.
>
> I thought that the deny permission was supposed to take
> priority over the allow permission. Please help as I'm
> being pressured to deliver a solution on this security
> threat.
>
> I passed the Win 2k Server Exam so I'm not at a total loss
> of NTFS permissions. I just don't know what I'm doing
> wrong here. Does this require changing ADSI info, taking
> them out of the Domain Admins group or something else?
>
> My desktop guys need to be administrators on all the
> desktops whenever they logon with their account, but I do
> not want them to be able to perform any account management
> or server administration.
Take them out of Domain Admins.
Make a new group, put them in it.. Push out that group to be loacl admins on
all Workstations. (Group Policies, Startup Scripts, Logon Scripts, PSEXEC,
SMS or whatever your favorite method is..)
-- <- Shenan -> -- The information is provided "as is", with no guarantees of completeness, accuracy or timeliness, and without warranties of any kind, express or implied. In other words, read up before you take any advice - you are the one ultimately responsible for your actions.
- Previous message: Jan: "RE: disabling group policy item doesnt work"
- In reply to: Jason: "Restrict Desktop Administrators Issue"
- Next in thread: Andy Cadley: "Re: Restrict Desktop Administrators Issue"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
