Re: Local administratotor rights on target machines

What you apparently did was to make that resticted group definiition
in a GPO linked to location where it influences more than just the
intended machines (like to domain object instead of linking to OU
that holds only the machines you intend to target).
The other thing that you did was to replace the membership of
the administrators group with what you had specified in the GPO,
at least is I correctly read your statement
In 'restricted groups' [under Computer Configuration -> Windows
settings -> Security settings] added 'administrators' group, and
made this account member of this group.

Instead, your said your requirement was
I have to provide a domain account with local
administrator privileges on a subset of machines.
That does not say anything about making it the only admn, or
about removing other accounts that may be member on the
subject machines.

See
http://support.microsoft.com/?id=810076
or Laura's response to the thread in this newsgroup immediately
before this one.

"Ram" <ramprakashj@xxxxxxxxxxxxxxxx> wrote in message
news:1156492673.443763.235030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dear All,
As part of requirement, I have to provide a domain account with local
administrator privileges on a subset of machines. To accomplish this, I
created a GPO for those machines.

In 'restricted groups' [under Computer Configuration -> Windows
settings -> Security settings] added 'administrators' group, and
made this account member of this group.

Though I achieved my purpose, I feel that I gave elevated privileges
to this domain account. Kindly suggest me any better solution where I
can give this domain account only local administrator privileges on the
targeted computer accounts?

Regards
Ram



.

Relevant Pages

  • Re: Disabling Interactive Logon Against Security Group
    ... an account may log in to. ... Where I follow least privilege this is a total non-issue, as the machines ... Users and with logon rights granted to Users. ... If you set this in a GPO then the list that is to be denied that you ...
    (microsoft.public.security)
  • Re: Unable to Share Folder
    ... It may look daunting, but if you follow the steps at the links and suggestions below systematically and calmly, you will have no difficulty in setting up your sharing. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... You do not need to be logged into the same account on all machines and the passwords assigned to each user account can be different; the accounts/passwords just need to exist and match on all machines. ...
    (microsoft.public.windowsxp.general)
  • Re: DST Updates Deployed via Group Policy
    ... if they are just reg settings and nothing more then ... WAS able to select the group in the GPO editor so I assumed that it ... things are working, that is, the machines are being healthy little ... however I have not tested the script locally on ...
    (microsoft.public.windows.group_policy)
  • Re: Folder Sharing Security
    ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Folder Sharing Security
    ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
    (microsoft.public.windowsxp.security_admin)