Re: Allowing users to be local admins of there workstation
Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance
Adding to admins is ill-advised, and to Domain Admins is a road to chaos.
If possible look as solutions, such as the suggested WSUS if it is only for
MS updates, look at whether you can package non-MS updates for AD
based assignment, etc.. If you must give out admin, do not give it to their
daily use account, but rather provide another with instructions that it is
only
for use in cases of approved install need (and make it a local account).
If you cannot select to add a domain account to a local group then is
the machine joined to the domain? are all the drop boxes in the user
picker dialog being used correctly ? It should be no problem.
Same is true to adding local accounts to local group - make sure you
are setting the look into location dropbox.
"Curt Winter" <CurtWinter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:533E405F-BB5E-45B0-A554-A890646582CD@xxxxxxxxxxxxxxxx
I just installed a new Server 2003 R2 AD domain server.
In the past I was able on the local machine to add the user of that
machine
to the local admins group.
When I went to add the user to the local admins I was not able to see any
of
the domain users. not put them in manually.
Any thoughts on how I can allow users to install critical updates on there
local machines with adding them to the domain admins group.
any thoughts would be appreciaited.
Thank you.
.
Relevant Pages
- Re: Problem managing accounts in protected groups
... For you administrator accounts create an own OU directly under the domain name and place there the domain admin accounts without any restrictions through policies or whatever. ... And create for them a normal domain user account for the daily work with normal restrictions like any other user. ... If now the account under the Administrators OU is locked another one from that OU can easily unlock them without any problem, because they all are domain admins in that OU. ... heard about that someone will give more security permissions to users ...
(microsoft.public.windows.server.active_directory) - Re: Login as local admin
... schema admins, enterprise admins and the other groups mentioned, but the ... installing SBS SP1. ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ...
(microsoft.public.windows.server.sbs) - Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
... Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. ... domain users that have local administrator privileges on domain assets ...
(Full-Disclosure) - RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
... Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. ... domain users that have local administrator privileges on domain assets ...
(Bugtraq) - Re: How does OU delegation work?
... A file system can contain two type of objects files and directories. ... When you delegate a group to have "Full Control" of computers objects, though, it doesn't imply that they will have admin rights on the actual computers those computer objects they represent, in the same way that delegating them "Full Control" of user accounts doesn't give them any extra right on the actual people (otherwise we would all be admins of the "hot blonds" OU right;) ). ... You can use a Restricted Groups setting in a GPO to achieve this or write a startup script that adds the account and link the GPO to the top level OU under which the departmental admins are kings. ...
(microsoft.public.windows.group_policy) |
|
