Re: Granting client local admin access via GPO to logged on user o
- From: jmedd <jmedd@xxxxxxxxxxxxxxxx>
- Date: Wed, 21 Nov 2007 08:37:02 -0800
Thanks for the reply.
The difference is that they only need to be admin on the machine they use to
do things like run certain applications which need admin rights, install
printers etc.
The downside with the way we currently have this setup is that anyone with
half a brain can consequently get access to the local drives on any other
client machine. Although users are advised not to store data on their local
machines there's a long standing culture here where they still do so there's
a potential security concern of being able to access someone else's data.
So I only want them to have local admin rights on the machine they use.
There's very little (if any at all) concept of people sharing machines, i.e.
a machine issued to one person is typically only used by that person.
Hopefully that makes sense.
"Danny Sanders" wrote:
.Obviously this means that anybody has admin access to any machine.
What I would like to be able to achieve is the logged on user should only
have admin access to the machine they are currently using.
I'm not seeing the difference. When a user logs into a computer they are
made administrator of that machine. If they log into another machine you
want them to be admin there also.
What is the problem with them having admin access to "any machine", when you
allow them to log onto "any machine" and give them admin access on "any
machine" they are using?
If they *need* admin access to do their job on one machine, and they access
that machine remotely, they are going to need admin access to the remote
machine to do their job.
If they can do their job remotely and they don't need admin access to do
their job remotely, they probably don't need admin access to do their job
when logging in locally to that same machine.
DDS
"jmedd" <jmedd@xxxxxxxxxxxxxxxx> wrote in message
news:1BDB007C-E564-4DCE-BDA6-2B08FC04A1E4@xxxxxxxxxxxxxxxx
We need to give our users local admin access to their client 2000 / XP
machines and currently this is done via a GPO which adds a 'LocalAdmin
Access' domain based group to the local administrators group. Users are
then
added to the domain based group.
Obviously this means that anybody has admin access to any machine.
What I would like to be able to achieve is the logged on user should only
have admin access to the machine they are currently using.
Does anyone have a suggestions how this could be done via GPO?
Thanks
- Follow-Ups:
- Re: Granting client local admin access via GPO to logged on user o
- From: Meinolf Weber
- Re: Granting client local admin access via GPO to logged on user o
- From: Danny Sanders
- Re: Granting client local admin access via GPO to logged on user o
- References:
- Re: Granting client local admin access via GPO to logged on user only
- From: Danny Sanders
- Re: Granting client local admin access via GPO to logged on user only
- Prev by Date: Re: User privilege caching in Active Directory?
- Next by Date: Re: User privilege caching in Active Directory?
- Previous by thread: Re: Granting client local admin access via GPO to logged on user only
- Next by thread: Re: Granting client local admin access via GPO to logged on user o
- Index(es):
Relevant Pages
|
