Re: Local Admin user removed from Administrator group
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 27 Jan 2007 22:24:53 -0500
In news:45BA6441.6000907@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Thanks Lanwench, I understand now...
So - if I wanted end users to be able to have local admin accounts,
but also wanted their domain accounts to be local admins, how would I
go about it ? (Just supposition).
Actually.. what Id really like, would be for users to be admins of
their own machines, but not of others.. I've not seen a way to do
this so far, other than Restricted groups and adding Domain Users to
Administrators. - Or by adding individual accounts to each local PC.
Is there a way to achieve this instead?
You'd need to add their individual domain accounts to the local workstation
admin groups. And I discourage this ...there's simply no reason I can think
of in 99% of situations that I'd want this.
A.
Lanwench [MVP - Exchange] wrote:
In news:45AE6E43.8080206@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Restricted Groups - yes...
What I don't understand, is why - locally created users- , that are
locally added to the local administrators group, are being removed
from the admin group by the policy.
Because that's exactly what restricted groups are for...to centrally
control (and strictly enforce) group membership.
Again, I don't see why you would want this to be a local user
instead of a domain user account. I don't use local user accounts
for anything on servers (don't see the value). Pretty much anything
I'd want running on a member server would be something requiring
some form of network access anyway (which a local account can't do).
That aside - how can I exclude a machine from the GPO? (Apart from
move it to a different branch of the AD tree).
Is the GPO in which you've applied the restricted groups doing
anything else?
And, where is it linked?
Is the member server in the my business\computers\sbs servers OU?
Lanwench [MVP - Exchange] wrote:
In news:45AE3C51.2080907@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Hi,Why not?
I've a fairly out-of-box SBS 2003 R1 group policy setup.
I've added a new SQL server, which runs some Jboss applications.
As part
of the Jboss setup I need to run a service as a local Admin.
I created the local user (I don't need/want a domain account for
this),
and assigned them to the local server Administrators group.That's unwise; your users should not be anything other than users.
I have a GPO that says all domain users are part of their local
Admin group.
However, that being said, are you using restricted groups? If so,
this is normal - the restricted group settings supersede the
locally-configured group membership. Perhaps you need to link the
GPO in question to another OU or otherwise exclude it from being
applied to the member server in question.
This seems to have the effect of removing my Local users from the
Local Administrators group. (We see an event 637 when I turn on
more logging).
How can I enable either the Domain, or Local GPO to let the Jboss
user keep its Administrator rights?
Cheers,
Adrian
.
- References:
- Local Admin user removed from Administrator group
- From: Adrian Marsh (NNTP)
- Re: Local Admin user removed from Administrator group
- From: Lanwench [MVP - Exchange]
- Re: Local Admin user removed from Administrator group
- From: Adrian Marsh (NNTP)
- Re: Local Admin user removed from Administrator group
- From: Lanwench [MVP - Exchange]
- Re: Local Admin user removed from Administrator group
- From: Adrian Marsh (NNTP)
- Local Admin user removed from Administrator group
- Prev by Date: Re: backup using ext. usb drive
- Next by Date: Re: backup using ext. usb drive
- Previous by thread: Re: Local Admin user removed from Administrator group
- Next by thread: Re: SBS 2003 and clients EVER EVER so slow
- Index(es):
Relevant Pages
|
