Re: local admin issues

From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
Date: Fri, 10 Apr 2009 12:30:31 +0000 (UTC)

Hello berni,

Restricted groups via GPO is the best way to control the local admins.
http://technet.microsoft.com/en-us/library/cc756802.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi,

I've got Two questions.

1st question:

Is there a way to prevent domain admins to be removed from the local
admins
group via gpo.
In our case we've got some domain users which are also in the local
admins
group and they can (if they want to) delete the domain admins from
this
group.
This would prevent the domain admins from accessing this computers vor
administrative purposes...
I know, having domain users as local admins is not the best practice
but in
some case of ours it is necessary.
Is there a way to prevent the domain admins group to be removed, or is
there any setting via gpo to force domains admins to be in the local
admins group, or is there another best practice?

2nd Question:

Is there a way to add a domain user via gpo or to the local admins
group of specific computers?

This would be very helpfull, we need a user which is a local admin on
some
computers but it should not be a member of the domain admins group,
and the
local assigment of the user on each computer would be quite
inefficient.
Or is there another solution for this topic?
Thanks in advance,
Best regards
Berni

References:
- local admin issues
  - From: Berni

Prev by Date: Enable logging for special attributes
Next by Date: Re: Enable logging for special attributes
Previous by thread: Re: local admin issues
Next by thread: Re: local admin issues
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain Admin?
... If you want them to be local admins so they can perform maintenance than you should consider using restricted groups: ... Create the gpo in the ou where the Computers reside, go to computer configuration/windows settings/security settings/restricted groups, right click on restricted groups and select new group and key in the group you want auto populated. ... We have some users who are local admins on machines and for some reason they feel compelled to remove the domain admins from their local administrators group. ...
(microsoft.public.windows.server.active_directory)
Re: users removing Domain Admin from local admin group
... You can't set the machine up so local admins can't modify the local ... administrators group. ... If the corporate policy is that domain admins are to be listed in the ...
(microsoft.public.win2000.security)
Re: domain user with local admin right
... admin and you are correct on choosing Restricted Groups to implement it. ... with the exception on the domain admins group. ... some users who are local admins on machines and for some reason they feel ...
(microsoft.public.windows.server.active_directory)
Re: How to alter ADAM administrative rights?
... Having local admins and your specific domain group both be members of the ADAM admin role is probably the way to go if you do not want the ADAM admins to be local admins on the box as well. ...
(microsoft.public.windows.server.active_directory)
Re: Domain Users Group added to Local Administrators
... >> having users being local admins much stronger than they do now. ... This way all domain users are automatically ... This is more secure than putting e.g. "Domain Users" in the Administrators ...
(microsoft.public.win2000.security)