G
Guest
Guest
Archived from groups: microsoft.public.win2000.security (More info?)
We have an AD domain where other offices join the domain via VPN. My problem
is in administrators. I need to give one or 2 people at each office the
ability to have administrator priv's on all local 2k machines for the
purpose of updates but I don't want them to have admin rights on our
servers.
My first thought was "domain admin" but that is part of the Administrators
group.
By default, with Windows 2000, when you join a domain, domain admins and
administrators has local admin rights on that computer to do things such as
"Windows Updates", change network settings, add programs etc. You can't
just create a group called Local Domain Admin then add them as a user
account with admin rights because you can't add groups... only users locally
on each station.
I thought of removing domain admins from the administrators group on the
domain and adding those users from each office to the domain admin but I'm
not sure that it would be the right approach or would work.
Does anyone have any ideas?
Thanks,
Dan
DanTindell@Hotmail.com
We have an AD domain where other offices join the domain via VPN. My problem
is in administrators. I need to give one or 2 people at each office the
ability to have administrator priv's on all local 2k machines for the
purpose of updates but I don't want them to have admin rights on our
servers.
My first thought was "domain admin" but that is part of the Administrators
group.
By default, with Windows 2000, when you join a domain, domain admins and
administrators has local admin rights on that computer to do things such as
"Windows Updates", change network settings, add programs etc. You can't
just create a group called Local Domain Admin then add them as a user
account with admin rights because you can't add groups... only users locally
on each station.
I thought of removing domain admins from the administrators group on the
domain and adding those users from each office to the domain admin but I'm
not sure that it would be the right approach or would work.
Does anyone have any ideas?
Thanks,
Dan
DanTindell@Hotmail.com