Re: Domain Administrator privs on Client
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 14 Feb 2006 19:47:58 -0700
The Enable to delegation setting is quite something else.
If you have enabled that due to this reasoning you should reverse it.
That setting lets the accounts assume the credentials of others in
cricumstances where they have the token available.
This is a potential risk if given to any principal that is not regulated.
Restricted groups is the group policy way to dictate the complete
list of members in (of the memberships of) a group.
However, be aware that this is the full list and will replace any
other memberships.
One can set a machine startup script to check that Domain Admins
is still a member of its machine local Administrators group and if not
then add it. This leaves a window of time, between restarts, when
the Administrators might be altered, whereas Restricted Groups
for a member will in default circumstances have a window of about
90 minutes max.
"Tim Guy" <tim@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ePpMwhXMGHA.2580@xxxxxxxxxxxxxxxxxxxxxxx
With Windows 2003 AD/Network, I can not get a domain administrator to
administor a local client / server. Only the local administrator will
work.
I always thought that the setting in windows 2000 GPOs to over come that
was "Enable Computer and User accounts to be trusted for deligation"
Doesnt seam to be on Windows 2003. What is the policy setting in a GPO to
get around this?
Cheers
Tim
.
- Follow-Ups:
- Re: Domain Administrator privs on Client
- From: Tim Guy
- Re: Domain Administrator privs on Client
- References:
- Domain Administrator privs on Client
- From: Tim Guy
- Domain Administrator privs on Client
- Prev by Date: Re: How to remove log off, restart and standby from the shutdown menu
- Next by Date: Re: Restricting User Logon
- Previous by thread: Re: Domain Administrator privs on Client
- Next by thread: Re: Domain Administrator privs on Client
- Index(es):
Relevant Pages
|
Loading
