Re: local admin issues
- From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx>
- Date: Fri, 10 Apr 2009 07:12:19 -0500
If you want them to be local admins so they
can perform maintenance than you should consider using restricted groups:
To use the restricted user group gpo setting
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...
http://www.microsoft.com/resources/documentation/windows/xp/all/prodd...
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.
Note: Be aware that the higher you place this setting within the domains
group policy the possibility exists it is applied to machines you may not
want it applied to. With this in mind you should try and avoid this setting
at the domain level, with the exception on the domain admins group. We have
some users who are local admins on machines and for some reason they feel
compelled to remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying users.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Berni" <Berni@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0EE739A0-0AAE-4F73-9B18-E7745FA1D7B8@xxxxxxxxxxxxxxxx
Hi,
I've got Two questions.
1st question:
Is there a way to prevent domain admins to be removed from the local admins
group via gpo.
In our case we've got some domain users which are also in the local admins
group and they can (if they want to) delete the domain admins from this
group.
This would prevent the domain admins from accessing this computers vor
administrative purposes...
I know, having domain users as local admins is not the best practice but in
some case of ours it is necessary.
Is there a way to prevent the domain admins group to be removed, or is there
any setting via gpo to force domains admins to be in the local admins group,
or is there another best practice?
2nd Question:
Is there a way to add a domain user via gpo or to the local admins group of
specific computers?
This would be very helpfull, we need a user which is a local admin on some
computers but it should not be a member of the domain admins group, and the
local assigment of the user on each computer would be quite inefficient.
Or is there another solution for this topic?
Thanks in advance,
Best regards
Berni
.
- References:
- local admin issues
- From: Berni
- local admin issues
- Prev by Date: Re: AD monitoring
- Next by Date: Re: replication between sites
- Previous by thread: Re: local admin issues
- Next by thread: Re: local admin issues
- Index(es):
Relevant Pages
|
