Re: administrator on box also on domain?

Further to that:

Domain\John.Doe could go an log onto other machines in your domain (however,
he would not have Local Admin rights, unless you added his domain account to
every local admin group).

John.Doe could only login into the PC where you created his account. This
would be a local account only, and as Paul mentioned, would not have any
domain access...i.e. would not be to connect to network shares, network
printers. You would also not be able to manage his account settings through
the AD Users & Computers, but would have to manage him directly on the PC
(i.e. password resets, etc.).

We have a similiar setup, however we use a Group and then add that Group to
all PC's in our domain using the Restricted Groups Policy (be very careful
with that policy). Then to give a user local admin rights, we just have to
add their account to the group in question. Downside is that this gives the
user local admin rights to all PC's on the domain.

Whatever you do, do NOT start putting users into the Domain Administrators
group. This will give them access to local admin rights on the PC, but will
also give them full access to all your Domain Controllers, AD setup, etc.
Actually..there would be nothing they would not have access to, and could
change.

"Paul Bergson" wrote:

> A local John.Doe cannot do anything in the domain, he would have NO domain
> rights or permissions.
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Larry D" <ldempsey@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:u%23bVMmVnFHA.2904@xxxxxxxxxxxxxxxxxxxxxxx
> > That is what I am trying to figure out. If I add John Doe to the
> > administrators group at the PC then it shows something like:
> >
> > administrator
> > domain_name\Domain Admins
> > domain_name\John.Doe
> >
> > But if I add John Doe as a user first, then go into the local
> > administrator's group I can add him and it looks like:
> >
> > administrator
> > John.Doe
> > domain_name\Domain Admins
> >
> > So my question is, what is the difference as far as permissions and rights
> > for 'domain_name\John.Doe' as an administrator and just 'John.Doe' as an
> > administrator? Therein lies my quandry...
> >
> > Larry
> >
> >
> > "bob" <someone@xxxxxxxxxxxxx> wrote in message
> > news:ealuwEVnFHA.3828@xxxxxxxxxxxxxxxxxxxxxxx
> >>
> >> "Larry D" <ldempsey@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:Olyt9rUnFHA.1480@xxxxxxxxxxxxxxxxxxxxxxx
> >>> My last job we had a Power Users group on the AD domain and all users
> >>> were
> >>> in it, except for the IT department, and the users were locked down
> >>> pretty
> >>> tight. My new job does it differently, no polices in force, install what
> >> you
> >>> want. In AD all users are in the domain users group, but at the PC the
> >>> IT
> >>> people would go in to Computer Management and add the user of that PC to
> >> the
> >>> Administrators group on the domain. They want the users to be admins of
> >> the
> >>> box so they can install software, printers, etc. Adding them as admins
> >>> on
> >>> the box does not make them appear in the admin group in AD, so I am not
> >> sure
> >>> if it is the same thing or not. I know you can add the user to the users
> >>> group then add him to the admin group on the box and that is definitely
> >>> a
> >>> local issue, but what about the other?
> >>>
> >>> TIA, Larry
> >>>
> >>>
> >>
> >> Hi Larry,
> >> Are you confusing the Administrators group on the workstation with the
> >> Domain Administrators Group in AD?
> >> The Domain Administrators group on the Domain is made a memebr of the the
> >> local Administrators group when the workstation joins the active
> >> directory
> >> domain.
> >> Any user who is a memebr of Domain Administrators can then administer any
> >> box
> >> In my company we want the user of the PC to be an administrator of their
> >> own
> >> PC and nothing else, so we add the user to the local Administrators group
> >> only.
> >>
> >> Hope this clears things up
> >>
> >> Bob
> >>
> >>
> >
> >
>
>
>
.

Relevant Pages

  • Re: Delegation of Local Administrator privilages
    ... This posting is provided "AS IS" with no warranties, ... > I have a win2k native mode network running active ... > Local Admin rights to his box without giving him the ... > ability to add people to the Local Administrators group. ...
    (microsoft.public.win2000.security)
  • Re: Send Message - Admin Rights
    ... try placing users into "Server Operators" group instead of Administrators. ... How do you send messages using Task Manager? ... messages using that message does require Local Admin rights. ...
    (microsoft.public.windows.server.general)
  • Re: Limit administrators permissions
    ... > ability to view everyones profile in documents and settings. ... You can't stop administrators from doing anything. ... >> You say install, but do you mean every single time you run it it ... >> user local admin rights, install what's needed, and revoke rights? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... > status of their account. ... local Admin rights were given to ... > afflicted machine and give them local Admin rights, ... the SID of your users is no longer the same as it was. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... Yesterday our company experienced a power outage that ultimately brought our network down in a not so graceful manner. ... Once power was restored and the system was brought back up, we realized some users could not log onto the network as their accounts had become corrupted due to a non-graceful shutdown of a UNIX system. ... The individuals that suffered a corrupted domain account are now experiencing a strange desktop issue. ... Now, if I log in with a different user who has never logged into the afflicted machine and give them local Admin rights, everything is as it should be. ...
    (microsoft.public.windowsxp.help_and_support)
Loading