Re: Basic User Setup
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 07/21/04
- Next message: sherman: "Disabling Internet Explorer"
- Previous message: Sam Lai: "Confused bout Computer Configuration/Software Install GPO?"
- In reply to: Adrian Marsh: "Basic User Setup"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 21 Jul 2004 23:28:03 GMT
You could user the computer configuration "restricted groups" to create a global
group and for instance put domain admins and domain users in it and then user
restricted groups to enforce the membership of the domain computers in that OU
to contain your global group. The downside of this method is that it will
probably remove all existing members of the local administrators groups on those
computers, hence the name restricted groups and domain users would be
administrators of all computers in OU, not just a particular one. If you do not
want to wipe out current membership of the local administrators group in that OU
you could use a logon script to add a global group [such as domain users or a
custom group you create] . Such a script could use the net command as in [ net
localgroup administrators mydomain\mygroup /add ]. If you want to have a user be
administrator on just their computer, you will need to individually add their
domain account to the local administrators group on their computer. You can also
restrict what domain computers a user accesses via their logon to restrictions
in their AD account properties and also through the user rights for logon
locally and access this computer from the network. There are also deny user
rights for those two settings but be careful with deny user rights as they
override any "allow" user right and administrators are also members of the users
and everyone groups. Also local administrators have no special rights in the
domain. --- Steve
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065 --- this must
be done at the OU level for local administrator groups or you run the risk of
adding to the administrators group for the domain!!
"Adrian Marsh" <hidden@somewhere.com> wrote in message
news:ufFpAA3bEHA.1652@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I've setup some OUs on my domain, seperating out Computers and Users,
> and in addition I've created a 3rd OU for "test" computers.
>
> I can see that I can still add users to groups, as in NT4, but how can I
> enable the users that use machines in the "test" OU to be local
> administrators of the machines in the "test" OU, but not be local
> admins of Computers in the normal "Computers" OU ? And how can these
> users be setup as admins of the "test" computers, but not admins of the
> Domain itself (i.e. not part of Domain Admins group). Normally I'd add
> them locally on those PCs into the client Administrators group, but
> there must be a way of doing this from the Domain itself..
>
> I'm guessing that it has something to do with the Built-in group
> Administrators in the Domain, but I can't quite see how it fits.
>
> Adrian
- Next message: sherman: "Disabling Internet Explorer"
- Previous message: Sam Lai: "Confused bout Computer Configuration/Software Install GPO?"
- In reply to: Adrian Marsh: "Basic User Setup"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
