|
Very good Rick...
Now rewrite it to be done at the domain level and have it
1. Avoid DC's
2. Set one group for all member servers
3. Set another group for all clients
:o)
As for your guidelines. I completely agree. We have 3
domain admins (Well 4 counting the manager) for ~400 domain controllers around
the world. To get a domain admin ID in our group requires about 2-3 months of
being in our group doing what we say and then standing in front of the current
domain admins (one of them being me...) at a whiteboard answering any and all
questions thrown at you for about 3-4 hours. If it takes multiple meetings to
get all of the admins happy with you, so be it. Most of it is our site specific
stuff though there is some good core W2K questions that can be thrown in. It is
entirely ad hoc based on how we feel the questions are being answered. That way
you can specifically study for what you think you will be asked, it could be
anything.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, December 04, 2003 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OK - I'll toss in my two cents - do it via a startup script
in a group policy applied at whatever level is going to hit your
workstations. In the startup script (cmd, bat, vbs - whatever your
comfortable with) you'll want something along the lines of:
@echo off
::Add2Admin.cmd set log=c:\audit.log time /t > %log% rem Change domain to your domain name but leave everything else. set grp="<YourDomain>\Domain Admins" set grp2="<YourDomain>\Workstation Admins" echo Adding %grp% to local Administrators group >>%log% net localgroup Administrators %grp% /add >>%log% echo *************************************** >>%log% echo Adding %grp2% to local Administrators group >>%log% net localgroup Administrators %grp2% /add >>%log% echo *************************************** >>%log% set log= set grp= set grp2= :EOF What this accomplishes for us is a group that is maintained
in AD (Workstation Admins) is added to the local Administrators groups of the
workstation, along with the domain admins group. The Workstation Admins
group is our technical services group, responsible for managing and maintaining
the PC's. And, because it runs as a startup command, it runs at
LocalSystem context - therefore no issues in performing the
commands.
Under no circumstances do I trust anyone with Domain Admin
privileges that 1) do not absolutely require it, and 2) have not passed my
stringent requirements for the responsibility. It's way to easy for
someone to make mistakes that I ultimately will be responsible for, and it's
also too easy to make sure that those that need to do a particular job have
the permissions to do so. Two examples to cite - the script above and the
AD Delegation White Paper.
Rick Kingslan MCSE, MCSA, MCT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Thursday, December 04, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You
could add him to the local administrators group using the computer management
tool. The addusers.exe can add users to local groups using the cmd or batch
file.
|
- [ActiveDir] Mike Baudino
- Re: [ActiveDir] Matjaz Ladava
- [ActiveDir] Jerry Johnson
- RE: [ActiveDir] Douglas M. Long
- RE: [ActiveDir] Jerry Johnson
- RE: [ActiveDir] Bruce Clingaman
- RE: [ActiveDir] Jerry Johnson
- RE: [ActiveDir] Bruce Clingaman
- RE: [ActiveDir] Rick Kingslan
- RE: [ActiveDir] Jerry Johnson
- RE: [ActiveDir] Joe
- RE: [ActiveDir] Joe
- RE: [ActiveDir] Oliver Marshall
- RE: [ActiveDir] Jordan, Jason [EPM/AUS]
- RE: [ActiveDir] Joe
- RE: [ActiveDir] Creamer, Mark
- RE: [ActiveDir] Oliver Marshall
- RE: [ActiveDir] Joe
- RE: [ActiveDir] W2K List
- [ActiveDir] Windows 2003 Application Part... Santhosh Sivarajan
- RE: [ActiveDir] Burkes, Jeremy [contractor]
