Re: Restricted groups local admins
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 16:51:36 +0200
Hi,
Can you be specific which groups to avoid confusion? There is Built-in
Administrators group in Active Directory and there are built in
Administrators groups on every PC. Beside the name there is nothing else in
common.
If user is member of Administrators group on his PC, he is not also member
of Administrators group in domain! However -- this might not be true in the
opposite direction... You should _not_ put your users in domain built-in
Administrators group! If you do -- yes they will have full access to
domain...
This is why I usually try to avoid using restricted groups for managing
built-in groups on client computers. Personally I rather use scripts. I only
use Restricted Groups for managing domain groups -- such as Domain
Administrators, Enterprise Administrators and other similar groups.
Here is an example of such script:
net localgroup administrators "Domain\PC_Admins" /add
Replace Domain with netbios name of your domain. Replace PC_Admins with name
of group that you created in your domain and add users to this domain. Users
that you add to this group will not have administrator permissions on this
computer while they will not have excessive permissions in domain.
Put above command in batch file and run it as startup script (not logon
script) using group policy.
--
Mike
Microsoft MVP - Windows Security
"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85B8D30D-06DE-42FC-BA14-B8AF3578DE9C@xxxxxxxxxxxxxxxx
Hello
Thanks for the response...
The issue is, once I do the restricted group's and then check active
directory built in groups, the administrators group, that group is listed
there (Local Admin group). Then I check out the security on the O and the
Administrator group from AD has full rights there.
"Miha Pihler [MVP]" wrote:
Hi Jordy,
If you do this correctly -- users do not get excessive access to domain
resources. It is not true that built in administrators group has full
access
to all domain resources (if you are talking about administrators group on
your client PCs).
Can you check the following:
- Who are members (which users and groups) of Domain Administrators group
in
your Active Directory?
- Who are members of Administrators group in your Active Directory
- Who are members of Enterprise Administrators group in your Active
Directory?
Make sure that groups like:
- domain users
- users
- ...
are not members of above mentioned groups.
--
Mike
Microsoft MVP - Windows Security
"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:316E34C9-EA06-4E40-858E-05C92EBC60B7@xxxxxxxxxxxxxxxx
Hello
I followed the technote on how to add a group to all computers in a
domain
for local admin rights. This works great except I have found out, that
once I
do this, all users have complete access to the domain objects. I assume
because by default the Built in administrator group has full rights to
the
domain. I assume I can just remove this group from the security tab of
my
O
unit in active directory.
Thanks
.
- Follow-Ups:
- Re: Restricted groups local admins
- From: Jordy
- Re: Restricted groups local admins
- References:
- Re: Restricted groups local admins
- From: Miha Pihler [MVP]
- Re: Restricted groups local admins
- Prev by Date: Automated setup and deployment jungle
- Next by Date: Re: Restricted groups local admins
- Previous by thread: Re: Restricted groups local admins
- Next by thread: Re: Restricted groups local admins
- Index(es):
Relevant Pages
|
