RE: Customize User Rights for Domain Admins Group

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


You are going about this the wrong way. You dont have to make your
workstation administrators members of the Domain Admins group for them to
have administrative rights on your workstations.

Instead create a global security group and place your workstation
administrators in this group. Then create a GPO and set the Restricted
Groups policy. There are two options available to you here.

- You can either select the builtin\administrators and control the
'Members'. Add your new group and Domain Admins. With this method the
builtin\administrators group will always contain ONLY these groups when it is
applied.
or
- You can select your new group and make this a 'Member of' the
builtin\administrators group. This method will not remove other members of
the builtin\administrators group but just add your new group.

When you set this policy always type in builtin\administrators rather than
selecting from the list.

Then link this GPO to your OU's that contain your workstations and your
workstation administrators should now have admin rights on these workstations
and nothing else.

Best Regards
Joe Dunn MCSE

"Computer Guru" wrote:

Hi,

I'm trying to remove the domain controller administration rights from
Domain Admins.
I'd like to be able to give a user administrative access on all
*workstations* by making him a member of Domain Admins, and give
another user full admin rights by making him a member of Domain Admins
AND Administrators.

Basically, I want a tech support group to have full admin rights on
all workstations but not on the server and have it defined
automatically, without having to manually add them to the local admins
group, or defining a VB script to add them there either.

Is this possible? If Domain Admins can't be modified, can I duplicate
it and then hack it to do what I need?

Thanks.


.

Relevant Pages

  • Re: disclosure the administrative password
    ... If you create an account in the domain which your workstations are a ... part of and only make it a member of the 'administrators' group (not ... Properties, group Policy, New) with a name which makes sense (eg. ... groups of users to be members of different groups; ...
    (Focus-Microsoft)
  • Re: Administrators Group in Local Users and Groups
    ... I had it set up right, it just took a while to get out to the workstations. ... > right click on restricted groups and select new group (For the local ... this group name should be - administrators) and key in the ... Select add on the Members of this group and then ...
    (microsoft.public.windows.server.active_directory)
  • Re: External Trust functionality...
    ... Domain Admins are a Global Group, and Global groups can only have members from the same domain... ... Note that by adding the Domain Admins from one domain/forest to the local Administrators in the other domain/forest doesn't make that "Domain Admins Global group" member of the administrators in desktop machines because by default only the DomainAdmins from the local domain and the local machine Administrators are members of that Group. ... either domain to the local groups. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Software Install to Help Desk group
    ... Add your members to this group. ... add IT Helpdesk group to the Administrators group on each computer (you can ... install software on all client workstations, but without the domain admins ...
    (microsoft.public.win2000.setup_deployment)
  • Re: Understanding "Administrator domain.local/builtin"
    ... "Administrators" for local machine and Domain Admins for AD administration). ... The same users are members of Domain Admins. ...
    (microsoft.public.windows.server.active_directory)