Re: Domain Admin?

---

• From: Paul Bergson [MVP-DS] <pbbergs@xxxxxxxxxxxxxx>
• Date: Fri, 24 Oct 2008 17:14:54 +0000 (UTC)

---

Hello Matthew,
If you want them to be local admins so they can perform maintenance than you should consider using restricted groups:

To use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups


group = your group to be made local admins member of = BUILTIN\Administrators


http://www.windowsecurity.com/articles/Using-Restricted-Groups.html


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...


http://www.microsoft.com/resources/documentation/windows/xp/all/prodd...


There is absolutely nothing that has to be done on the client side.


Create the gpo in the ou where the Computers reside (NOT the users), go to computer configuration/windows settings/security settings/restricted groups, right click on restricted groups and select new group (For the local computers, this group name should be - administrators) and key in the group you want auto populated. Select add on the Members of this group and then add the members you want populated.


Note: Be aware that the higher you place this setting within the domains group policy the possibility exists it is applied to machines you may not want it applied to. With this in mind you should try and avoid this setting at the domain level, with the exception on the domain admins group. We have some users who are local admins on machines and for some reason they feel compelled to remove the domain admins from their local administrators group. Setting this at the domain level manages these annoying users.





--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.

I have a user I need to be able to run as administrator on desktop
computers, but I don't want them to have admin rights on the server.
Does the Domain Admin group do that? If not, can it be done and how?

.

---

• References:
  • Domain Admin?
    • From: Matthew

• Prev by Date: Re: to use address book , pc out of domain
• Next by Date: Re: Update Notes Field
• Previous by thread: Re: Domain Admin?
• Next by thread: Re: Domain Admin?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: users removing Domain Admin from local admin group ... You can't set the machine up so local admins can't modify the local ... administrators group. ... If the corporate policy is that domain admins are to be listed in the ... (microsoft.public.win2000.security) Re: local admin issues ... Restricted groups via GPO is the best way to control the local admins. ... Is there a way to prevent domain admins to be removed from the local ... (microsoft.public.windows.server.active_directory) Re: domain user with local admin right ... admin and you are correct on choosing Restricted Groups to implement it. ... with the exception on the domain admins group. ... some users who are local admins on machines and for some reason they feel ... (microsoft.public.windows.server.active_directory) Re: How to alter ADAM administrative rights? ... Having local admins and your specific domain group both be members of the ADAM admin role is probably the way to go if you do not want the ADAM admins to be local admins on the box as well. ... (microsoft.public.windows.server.active_directory) Re: Domain Users Group added to Local Administrators ... >> having users being local admins much stronger than they do now. ... This way all domain users are automatically ... This is more secure than putting e.g. "Domain Users" in the Administrators ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)