Re: Local Admin user removed from Administrator group
- From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 11 Feb 2007 18:49:17 +0000
So, do your end-users manager their own PCs? (eg, install apps,
configure them etc), or is this something you/a team of people/ do for them?
Lanwench [MVP - Exchange] wrote:
In news:45BA6441.6000907@xxxxxxxxxxxxxxxxxxxxxxx,.
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Thanks Lanwench, I understand now...
So - if I wanted end users to be able to have local admin accounts,
but also wanted their domain accounts to be local admins, how would I
go about it ? (Just supposition).
Actually.. what Id really like, would be for users to be admins of
their own machines, but not of others.. I've not seen a way to do
this so far, other than Restricted groups and adding Domain Users to
Administrators. - Or by adding individual accounts to each local PC.
Is there a way to achieve this instead?
You'd need to add their individual domain accounts to the local workstation
admin groups. And I discourage this ...there's simply no reason I can think
of in 99% of situations that I'd want this.
A.
Lanwench [MVP - Exchange] wrote:
In news:45AE6E43.8080206@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Restricted Groups - yes...Because that's exactly what restricted groups are for...to centrally
What I don't understand, is why - locally created users- , that are
locally added to the local administrators group, are being removed
from the admin group by the policy.
control (and strictly enforce) group membership.
Again, I don't see why you would want this to be a local user
instead of a domain user account. I don't use local user accounts
for anything on servers (don't see the value). Pretty much anything
I'd want running on a member server would be something requiring
some form of network access anyway (which a local account can't do).
That aside - how can I exclude a machine from the GPO? (Apart fromIs the GPO in which you've applied the restricted groups doing
move it to a different branch of the AD tree).
anything else?
And, where is it linked?
Is the member server in the my business\computers\sbs servers OU?
Lanwench [MVP - Exchange] wrote:
In news:45AE3C51.2080907@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:
Hi,Why not?
I've a fairly out-of-box SBS 2003 R1 group policy setup.
I've added a new SQL server, which runs some Jboss applications.
As part
of the Jboss setup I need to run a service as a local Admin.
I created the local user (I don't need/want a domain account for
this),
and assigned them to the local server Administrators group.That's unwise; your users should not be anything other than users.
I have a GPO that says all domain users are part of their local
Admin group.
However, that being said, are you using restricted groups? If so,
this is normal - the restricted group settings supersede the
locally-configured group membership. Perhaps you need to link the
GPO in question to another OU or otherwise exclude it from being
applied to the member server in question.
This seems to have the effect of removing my Local users from the
Local Administrators group. (We see an event 637 when I turn on
more logging).
How can I enable either the Domain, or Local GPO to let the Jboss
user keep its Administrator rights?
Cheers,
Adrian
- Prev by Date: Re: IIS logs for Exchange/OMA Access
- Next by Date: Re: User vs device CALs
- Previous by thread: Re: Loss of Remote Web Access and Website on R2 Upgrade
- Next by thread: Re: ESENT Event ID 467
- Index(es):
Relevant Pages
|
