Re: Local Admin on desktops

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
Date: Tue, 11 Mar 2008 20:11:11 -0700

To add a little to Jorge's good post, I suggest:

1. create a Security group in the domain
2. add the user accounts that you want to be administrators on the workstations to this group
3. add the domain group to the local Adminstrators Group on the workstations

That way, to change who is an administrator on the workstations, you merely have to change the membership of the domain group - you don't need to do anything to the workstations.

You can populate the local group using a script or the Members Of feature of Restricted Groups in a GPO.

If you choose the GPO route (which I prefer, but others don't necessarily) be aware of the information at http://technet2.microsoft.com/windowsserver/en/library/be413dbd-c47f-48a9-912d-d3d22c02eb2e1033.mspx?mfr=true:

"The Member Of list specifies groups in which the restricted group is
included. Only inclusion in the Member Of list is enforced, not exclusion:
If you remove a group from the Member Of list, the restricted group is
allowed to remain a member of the removed group."

The above definitly applies to XP, but appears to not apply to Vista. See the thread "group policy settings is not removed after computer is removed from OU" in the microsoft.public.windows.group_policy newsgroup.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

"Tim" <tjc7546@xxxxxxxxx> wrote in message news:E4DA78FB-B446-479A-A2F6-162FB246CA4A@xxxxxxxxxxxxxxxx

How do I grant Local Administrator access to desktops (for our desktop
administrators) without giving them Domain Admin privelidges? We only want
them to have local admin privelidges on the workstations in our domain.

Thanks in advance.

Prev by Date: Re: Leftover sucrity group
Next by Date: Re: Local Admin on desktops
Previous by thread: Re: Local Admin on desktops
Next by thread: How to find who has VPN access?
Index(es):
- Date
- Thread

Relevant Pages

Re: local admin-rights
... Still I don't understand what the option 'this group is a member of' does on ... > and modified it by adding the group 'Administrators' to the restricted ... > I then added user 'jhon' as a member of that restricted group, ... >> Group Policy with restricted groups should do the trick. ...
(microsoft.public.win2000.security)
Re: How can I allow Domain User Accounts Admin rights on their loc
... users should not be administrators of workstations. ... If *your* account is a member of Domain Admins, ... and make this group a member of each workstation's ...
(microsoft.public.windowsxp.security_admin)
Re: local admin-rights
... I created a new OU, moved a computer to that OU, added a policy to that OU ... and modified it by adding the group 'Administrators' to the restricted ... I then added user 'jhon' as a member of that restricted group, ...
(microsoft.public.win2000.security)
Re: local admin-rights
... > Still I don't understand what the option 'this group is a member of' ... >> I created a new OU, moved a computer to that OU, added a policy to ... >> that OU and modified it by adding the group 'Administrators' to the ... >> I then added user 'jhon' as a member of that restricted group, ...
(microsoft.public.win2000.security)
Re: Customize User Rights for Domain Admins Group
... able to do admin work, BUT, yet not be full domain admins? ... another user full admin rights by making him a member of Domain Admins ... By default Domain admins are memebers of Local administrators in all ... workstations and member servers, but you can create a group and use ...
(microsoft.public.windows.server.active_directory)