Re: Domain Administrator privs on Client
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 16 Feb 2006 18:02:38 -0700
It is fairly normal to restrict admin access to SQL Server to only
those that know how to run SQL. By default, as part of domain
join, Domain Admins is added to a machine's Administrators
group and Domain Users to its Users group. Often on servers
that are sensitive and that require specialize skill to run correctly
the first of these is undone, and very often on all servers the second
is undone; but in both cases when the domain groups are removed
they are replace with what should be given those memberships.
What we were saying is that if you have a category of machines
that you want Domain Admins group to be guaranteed as a member
in those machines' local Administrators group, then with those
machines impacted by some GPO (not linked at the domain or
the DC OU levels) you can in that GPO define a Restricted Group
definition for Administrators and state that Administrator and
Domain Admins is the (complete, total) membership.
All machines under the influence of that Restricted Group definition
will then soon have their Administrators group made to conform.
This is actually not a useful as it sounds as very often one machine
needs a different account also in its admins, another another, etc.
"Tim Guy" <tim@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e7MPuLiMGHA.2560@xxxxxxxxxxxxxxxxxxxxxxx
OK. I understand Restricted Groups.
But I dont understand how that will help me allow domain admins and domain
administrators to be able to act as administrators of loca machines.
Unless you're telling me that the domain admins and administrators are
already in a group somewhere that I dont know about?
IE. I have an SQL server on my domain, I have to login as the local sql
administrator to do most admin task. Id rather use the domain
administrator account to do these things but it wont allow me to do it
saying that various things along the lines of "You do not have the
prilvages to install this", etc, etc....
Tim
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:e039MpdMGHA.1488@xxxxxxxxxxxxxxxxxxxxxxx
The Enable to delegation setting is quite something else.
If you have enabled that due to this reasoning you should reverse it.
That setting lets the accounts assume the credentials of others in
cricumstances where they have the token available.
This is a potential risk if given to any principal that is not regulated.
Restricted groups is the group policy way to dictate the complete
list of members in (of the memberships of) a group.
However, be aware that this is the full list and will replace any
other memberships.
One can set a machine startup script to check that Domain Admins
is still a member of its machine local Administrators group and if not
then add it. This leaves a window of time, between restarts, when
the Administrators might be altered, whereas Restricted Groups
for a member will in default circumstances have a window of about
90 minutes max.
"Tim Guy" <tim@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ePpMwhXMGHA.2580@xxxxxxxxxxxxxxxxxxxxxxx
With Windows 2003 AD/Network, I can not get a domain administrator to
administor a local client / server. Only the local administrator will
work.
I always thought that the setting in windows 2000 GPOs to over come that
was "Enable Computer and User accounts to be trusted for deligation"
Doesnt seam to be on Windows 2003. What is the policy setting in a GPO
to get around this?
Cheers
Tim
.
- References:
- Domain Administrator privs on Client
- From: Tim Guy
- Re: Domain Administrator privs on Client
- From: Roger Abell [MVP]
- Re: Domain Administrator privs on Client
- From: Tim Guy
- Domain Administrator privs on Client
- Prev by Date: Re: Taskbar Problems in Terminal Services
- Next by Date: Re: Restricting User Logon
- Previous by thread: Re: Domain Administrator privs on Client
- Next by thread: GP for setting the user runonce
- Index(es):
Relevant Pages
|
