Re: Opening workstation event view = Access Denied
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Sep 2008 12:44:12 -0700
You can add domain groups (or user accounts) to local groups using Restricted Groups in a GPO (Computer Configuration, Windows Settings, Security Settings, Restricted Groups).
Use "Add Group" context menu item to add the domain group, then use the bottom part of the "Configure membership" dialog "This group is a members of::" and specify the local group - e.g. Administrators.
In a domain of any size, you might NOT want the people that administer workstations to be Domain Admins. Consider creating a group (e.g. Resource-Workstation-Administrators) and adding that to the workstation's local Administrators group instead. You can then designate which user accounts are workstation administrators without also granting them administrative rights to the whole domain.
I explain all this in detail in sections 3 and 4 of the document "GettingsStartedwithWindows200Domains" available at http://members.shaw.ca/bsanders/WindowsGeneralWeb/DomainAndActiveDirectory.htm.
Although the detailed instructions are for Server 2008 domains, the concepts and processes are essentially the same for Server 2003 domains.
--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.
"sklett" <s@xxxxx> wrote in message news:uLiViDHEJHA.1460@xxxxxxxxxxxxxxxxxxxxxxx
Hi Bruce,
Thank you for the explanation, it makes complete sense. I will research if there is a GP I can create that will add the DomainAdmins group to the local Admin group, then I will know it's always setup correctly (or should be).
Thanks again,
Steve
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message news:e%23cB3ukDJHA.5316@xxxxxxxxxxxxxxxxxxxxxxxAt the time a computer is joined to the domain, the domain group called Domain Admins gets added to the local group called Administrators. It is possible for a (local) administrator to delete the Domain Admins group from the local Administrators group. If this is done, the Domain Admins group will NOT be re-added automatically.
So, being a member of the Domain Admins group does NOT necesarily mean you are an administrator on the domain member computer.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"sklett" <s@xxxxx> wrote in message news:O2YU6JRDJHA.4036@xxxxxxxxxxxxxxxxxxxxxxxI'm a bit puzzled why I'm getting this error when trying to open a XP pro client event log.
I'm remote desktopped in to our server (domain controller) and trying to open a client's log.
I am a member of the following groups:
- Administrators pmd.local/builtin
- Domain Admins pmd.local/Users
- Domain Users pmd.local/Users
- Remote Desktop Users pmd.local/Builtin
Sure seems like I should have permission to do just about anything?
I was under the impression that if you are in the Domain Admins group that you will be automatically added to workstation/client machines local Administrators group. Is this not true?
We've had this network setup for almost two years and are just now hiring people so I'm revisiting security and many other areas I haven't touched in awhile... I'm a bit rusty.
Any help greatly appreciated.
Thanks,
Steve
.
- References:
- Opening workstation event view = Access Denied
- From: sklett
- Re: Opening workstation event view = Access Denied
- From: sklett
- Opening workstation event view = Access Denied
- Prev by Date: Re: AD Auditing and 565 Events
- Next by Date: Re: user forgot password to domain user account
- Previous by thread: Re: Opening workstation event view = Access Denied
- Next by thread: Re: Confusion between Mixed and Native Modes adding a Server 2003
- Index(es):
Relevant Pages
|
