Re: Opening workstation event view = Access Denied

Hi Bruce,

Thank you for the explanation, it makes complete sense. I will research if
there is a GP I can create that will add the DomainAdmins group to the local
Admin group, then I will know it's always setup correctly (or should be).

Thanks again,
Steve


"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:e%23cB3ukDJHA.5316@xxxxxxxxxxxxxxxxxxxxxxx
At the time a computer is joined to the domain, the domain group called
Domain Admins gets added to the local group called Administrators. It is
possible for a (local) administrator to delete the Domain Admins group
from the local Administrators group. If this is done, the Domain Admins
group will NOT be re-added automatically.

So, being a member of the Domain Admins group does NOT necesarily mean you
are an administrator on the domain member computer.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"sklett" <s@xxxxx> wrote in message
news:O2YU6JRDJHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
I'm a bit puzzled why I'm getting this error when trying to open a XP pro
client event log.
I'm remote desktopped in to our server (domain controller) and trying to
open a client's log.

I am a member of the following groups:
- Administrators pmd.local/builtin
- Domain Admins pmd.local/Users
- Domain Users pmd.local/Users
- Remote Desktop Users pmd.local/Builtin

Sure seems like I should have permission to do just about anything?

I was under the impression that if you are in the Domain Admins group
that you will be automatically added to workstation/client machines local
Administrators group. Is this not true?
We've had this network setup for almost two years and are just now hiring
people so I'm revisiting security and many other areas I haven't touched
in awhile... I'm a bit rusty.

Any help greatly appreciated.

Thanks,
Steve




.

Relevant Pages

  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: How to make give cross-domain "Domain Admins" permissions
    ... that "Domain Admins" do. ... Domain Admins don't have any special permissions, ... member of administrators on every domain member and the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin group?
    ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
    (microsoft.public.win2000.security)
  • Add groups to Local Admin group
    ... I created a .bat file with the following command... ... >the local PC's Administrators group. ... >another domain group to also be a member of the ... >be a member of Domain Admins. ...
    (microsoft.public.win2000.security)