Re: Group Policy setting for restricting creation of local user accounts

Well, you have now significantly changed the scenario.
There is really no way to prohibit a Domain Admin from doing what
they want to do. You can make it more difficult, but your ultimately
cannot do it.

For example, if DA was not in each machine's local Administrators
group, then they could not do anything to those machines - until they
forced their account to again become member in Administrators on
those machines (which they could do).

You probably need to address your issue either by not having as DAs
those that you do not trust to needed extent, and/or by having clearly
stated limits on acceptible/unacceptible actions for DA power usage
with expectation that they will conform to the limits.


"B.E. Jorgenson" <jorgenson.b@xxxxxxxxx> wrote in message
news:1159804569.016570.299160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Here's the problem.... I have domain administrators that I do not want
creating local users on computers. Would I have to create a restricted
group that mimics domain admins rights minus the right to create local
users?


Roger Abell [MVP] wrote:
"B.E. Jorgenson" <jorgenson.b@xxxxxxxxx> wrote in message
news:1159560514.691170.269170@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Right, but I am looking for a group policy, security template, or local
security policy.


You could use a restricted group definintion in a GPO applied at an
OU level (not to DC OU or to Domain) that carries definition for
Administrators naming only what you want included in them all.
It is often convenient for that GPO to also had a rename policy set
renaming the built-in Administrator


KenB wrote:
Restricting the users to non-administrator access will prevent them
from
being able to create accounts on the computers.

Ken


"B.E. Jorgenson" <jorgenson.b@xxxxxxxxx> wrote in message
news:1159380582.077768.320930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Is there a way through group policy to restrict any user from
creating
local computer user accounts when the computer is joined to the
domain?
This has nothing to do with logon locally but actually creating a
local
user account.

Thanks,
Brian





.

Relevant Pages

  • Re: Group Policy setting for restricting creation of local user accounts
    ... if DA was not in each machine's local Administrators ... group that mimics domain admins rights minus the right to create local ... being able to create accounts on the computers. ... local computer user accounts when the computer is joined to the ...
    (microsoft.public.windows.group_policy)
  • Re: Anyone not part of admin group cant log in
    ... Check that the user accounts have Full control granted to ... > I have a small network of 5 computers going and ... I added "Administrators" to thier ID and they ...
    (microsoft.public.windowsxp.security_admin)
  • Adding Groups to Local Administrator Remotely
    ... I am a domain admin in our Windows 2000 server ... admins from the local administrators group. ... remotely administering these particular computers. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group Policy setting for restricting creation of local user accounts
    ... You could use a restricted group definintion in a GPO applied at an ... Administrators naming only what you want included in them all. ... being able to create accounts on the computers. ... local computer user accounts when the computer is joined to the domain? ...
    (microsoft.public.windows.group_policy)
  • RE: How to create a HELPDESK group?
    ... add the user accounts of the Helpdesk staff. ... On the "computers" OU, right click and go to properties, click the security ... I don't want to give the domain admin right to this group. ...
    (microsoft.public.win2000.general)
Loading