Local admin group?

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

We have an AD domain where other offices join the domain via VPN. My problem
is in administrators. I need to give one or 2 people at each office the
ability to have administrator priv's on all local 2k machines for the
purpose of updates but I don't want them to have admin rights on our
servers.

My first thought was "domain admin" but that is part of the Administrators
group.

By default, with Windows 2000, when you join a domain, domain admins and
administrators has local admin rights on that computer to do things such as
"Windows Updates", change network settings, add programs etc. You can't
just create a group called Local Domain Admin then add them as a user
account with admin rights because you can't add groups... only users locally
on each station.

I thought of removing domain admins from the administrators group on the
domain and adding those users from each office to the domain admin but I'm
not sure that it would be the right approach or would work.

Does anyone have any ideas?

Thanks,
Dan
DanTindell@Hotmail.com

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You could create the group on the DC add the users to it. Then go to the
workstations and add that group to the local admin group.
"Dan Tindell" <DanTindell@Hotmail.com> wrote in message
news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
> We have an AD domain where other offices join the domain via VPN. My
problem
> is in administrators. I need to give one or 2 people at each office the
> ability to have administrator priv's on all local 2k machines for the
> purpose of updates but I don't want them to have admin rights on our
> servers.
>
> My first thought was "domain admin" but that is part of the Administrators
> group.
>
> By default, with Windows 2000, when you join a domain, domain admins and
> administrators has local admin rights on that computer to do things such
as
> "Windows Updates", change network settings, add programs etc. You can't
> just create a group called Local Domain Admin then add them as a user
> account with admin rights because you can't add groups... only users
locally
> on each station.
>
> I thought of removing domain admins from the administrators group on the
> domain and adding those users from each office to the domain admin but I'm
> not sure that it would be the right approach or would work.
>
> Does anyone have any ideas?
>
> Thanks,
> Dan
> DanTindell@Hotmail.com
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

No don't remove the domain admins group from the administrators group for
the domain. Create a global group of users to add the local administrators
group of the domain workstations. You can do that using Group Policy and
"restricted groups" at the Organizational Unit level where the domain
computer accounts reside. Note that you do NOT want to do it at the domain
level or they will end up being domain administrators. Using restricted
groups works well but it will remove all current users in the local
administrators groups [except built in admin] and replace it with what you
define in restricted groups. Otherwise you can use Group Policy "startup"
script and the net localgroup command to add the global group to the local
administrators group on the affected computers. The link below may
elp. --- Steve

http://www.jsiinc.com/SUBK/tip5300/rh5319.htm

"Dan Tindell" <DanTindell@Hotmail.com> wrote in message
news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
> We have an AD domain where other offices join the domain via VPN. My
> problem is in administrators. I need to give one or 2 people at each
> office the ability to have administrator priv's on all local 2k machines
> for the purpose of updates but I don't want them to have admin rights on
> our servers.
>
> My first thought was "domain admin" but that is part of the Administrators
> group.
>
> By default, with Windows 2000, when you join a domain, domain admins and
> administrators has local admin rights on that computer to do things such
> as "Windows Updates", change network settings, add programs etc. You
> can't just create a group called Local Domain Admin then add them as a
> user account with admin rights because you can't add groups... only users
> locally on each station.
>
> I thought of removing domain admins from the administrators group on the
> domain and adding those users from each office to the domain admin but I'm
> not sure that it would be the right approach or would work.
>
> Does anyone have any ideas?
>
> Thanks,
> Dan
> DanTindell@Hotmail.com
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You are not well served by using Domain Admins for
anything except what it is intended for - managing the
domain. This group has broad scope of capabilities and
use of account that are members in it should be restricted.

Your observation that you cannot define a Local Admins
group and add it to Administrators implies that you are
letting people use machine local accounts instead of only
using domain accounts. If you have them use domain accounts
then you can group them into a domain local security group
and have this added to the machine local Administrators group.

I would highly recommend to you that you do not make the
accounts of those one or two people at each site special.
Their account should be as limited as any other persons'
account at that site - able to do what they need to for their
day to day activities.
Instead, make available an account that is an admin for the
use of those one or two people when, and only when, they
need to do something that requires those capabilities. Also,
audit and monitor the login/logoff events of those empowered
accounts to make sure that they are being used only when
needed and in appropriate ways.
One can manage the machine local Administrators group for
all machines in an OU by use of a Restricted Group definition
in a GPO linked to the OU - if and only if the membership in
all of those machines is to be exactly the same. Otherwise
you can use a startup script that checks for membership of
specific account or group in the machine local Administrators
group and if not present adds it/them.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dan Tindell" <DanTindell@Hotmail.com> wrote in message
news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
> We have an AD domain where other offices join the domain via VPN. My
problem
> is in administrators. I need to give one or 2 people at each office the
> ability to have administrator priv's on all local 2k machines for the
> purpose of updates but I don't want them to have admin rights on our
> servers.
>
> My first thought was "domain admin" but that is part of the Administrators
> group.
>
> By default, with Windows 2000, when you join a domain, domain admins and
> administrators has local admin rights on that computer to do things such
as
> "Windows Updates", change network settings, add programs etc. You can't
> just create a group called Local Domain Admin then add them as a user
> account with admin rights because you can't add groups... only users
locally
> on each station.
>
> I thought of removing domain admins from the administrators group on the
> domain and adding those users from each office to the domain admin but I'm
> not sure that it would be the right approach or would work.
>
> Does anyone have any ideas?
>
> Thanks,
> Dan
> DanTindell@Hotmail.com
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Dan Tindell" <DanTindell@Hotmail.com> wrote in message
news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
> We have an AD domain where other offices join the domain via VPN. My
problem
> is in administrators. I need to give one or 2 people at each office the
> ability to have administrator priv's on all local 2k machines for the
> purpose of updates but I don't want them to have admin rights on our
> servers.

There are a couple of workable ways to do this:

1) User a restricted Group assigned to an location speficic
OU or maybe even a Site (although I have never tested
the idea of using the Site for this).

2) Manually add them on each station -- if you wish to
automate this you could build the Group on the domain,
e.g., CityAdmins, EastCoastAdmins, and then make
sure it is in the Administrators group of each machine
through a Startup script (running as the system account,
you can't do this from Logon scripts reliably.)

#1 is the "right way" but it implies you have organized
your OUs by locations unless the Site idea works.

The Site idea will definitely work for #2 BUT you
must also remember to REMOVE the location admins
if the machine is ever moved to another location/Site.

> My first thought was "domain admin" but that is part of the Administrators
> group.
>
> By default, with Windows 2000, when you join a domain, domain admins and
> administrators has local admin rights on that computer to do things such
as
> "Windows Updates", change network settings, add programs etc. You can't
> just create a group called Local Domain Admin then add them as a user
> account with admin rights because you can't add groups... only users
locally
> on each station.

Of course you can add Groups on each workstation,
but you must do it locally at each work station.

> I thought of removing domain admins from the administrators group on the
> domain and adding those users from each office to the domain admin but I'm
> not sure that it would be the right approach or would work.

No, as everyone else indicated do NOT remove
Domain Admins.