Re: Local Admin user removed from Administrator group
- From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 26 Jan 2007 20:27:45 +0000
Thanks Lanwench, I understand now...
So - if I wanted end users to be able to have local admin accounts, but
also wanted their domain accounts to be local admins, how would I go
about it ? (Just supposition).
Actually.. what Id really like, would be for users to be admins of
their own machines, but not of others.. I've not seen a way to do this
so far, other than Restricted groups and adding Domain Users to
Administrators. - Or by adding individual accounts to each local PC. Is
there a way to achieve this instead?
A.
Lanwench [MVP - Exchange] wrote:
In news:45AE6E43.8080206@xxxxxxxxxxxxxxxxxxxxxxx,.
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Restricted Groups - yes...
What I don't understand, is why - locally created users- , that are
locally added to the local administrators group, are being removed
from the admin group by the policy.
Because that's exactly what restricted groups are for...to centrally control
(and strictly enforce) group membership.
Again, I don't see why you would want this to be a local user instead of a
domain user account. I don't use local user accounts for anything on servers
(don't see the value). Pretty much anything I'd want running on a member
server would be something requiring some form of network access anyway
(which a local account can't do).
That aside - how can I exclude a machine from the GPO? (Apart from
move it to a different branch of the AD tree).
Is the GPO in which you've applied the restricted groups doing anything
else?
And, where is it linked?
Is the member server in the my business\computers\sbs servers OU?
Lanwench [MVP - Exchange] wrote:
In news:45AE3C51.2080907@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Hi,Why not?
I've a fairly out-of-box SBS 2003 R1 group policy setup.
I've added a new SQL server, which runs some Jboss applications. As
part
of the Jboss setup I need to run a service as a local Admin.
I created the local user (I don't need/want a domain account for
this),
and assigned them to the local server Administrators group.That's unwise; your users should not be anything other than users.
I have a GPO that says all domain users are part of their local
Admin group.
However, that being said, are you using restricted groups? If so,
this is normal - the restricted group settings supersede the
locally-configured group membership. Perhaps you need to link the
GPO in question to another OU or otherwise exclude it from being
applied to the member server in question.
This seems to have the effect of removing my Local users from the
Local Administrators group. (We see an event 637 when I turn on more
logging).
How can I enable either the Domain, or Local GPO to let the Jboss
user keep its Administrator rights?
Cheers,
Adrian
- Follow-Ups:
- Re: Local Admin user removed from Administrator group
- From: Lanwench [MVP - Exchange]
- Re: Local Admin user removed from Administrator group
- References:
- Local Admin user removed from Administrator group
- From: Adrian Marsh (NNTP)
- Re: Local Admin user removed from Administrator group
- From: Lanwench [MVP - Exchange]
- Re: Local Admin user removed from Administrator group
- From: Adrian Marsh (NNTP)
- Re: Local Admin user removed from Administrator group
- From: Lanwench [MVP - Exchange]
- Local Admin user removed from Administrator group
- Prev by Date: Re: GPO 101 question
- Next by Date: Re: Received fax errors after running SFC.exe
- Previous by thread: Re: Local Admin user removed from Administrator group
- Next by thread: Re: Local Admin user removed from Administrator group
- Index(es):
Relevant Pages
|
