Thanks for correcting me on
this. I would much rather use restricted groups than have the script I run
everytime the machine is booted up.
Mike From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Mike, the functionality recently changed, that was a
subject of a conversation on this list. Many of us were quite happily surprised
to learn of the change.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 13, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts > won't Restricted groups remove any groups that are in
the administrators group
> now except for the ones you
specify?
not if you have Win2k
SP4 or Win2k3 and use the "MemberOf" option of the restricted
groups.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Celone Sent: Mittwoch, 14. April 2004 00:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a
startup script that runs from a GPO that adds a group to the local
administrators group everytime the machine is started up. The script looks
like this
net localgroup administrators /add
"domain\admins"
Just create a UG for all the admins and add them to
it, then when the servers are rebooted add this script will run and add the
group to the machine's local administrator group. If you can't wait for
the servers to be rebooted you can create a script that will read the servers in
line by line and add this group to their local administrators
group.
Don't get me wrong Guido's solution will work also but
won't Restricted groups remove any groups that are in the administrators group
now except for the ones you specify?
Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 13, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add
users from other domains to it. While other global groups can be converted to
universal groups, you can't do so for the domain admins
group.
a solution to your problem is to use the restricted groups
GPO feature (which will not work for your legacy machines in the AD domain) to
add a universal group to the administrators group of all Server-OUs. I wouldn't
want to set this GPO at the domain level, as then you're putting your AD domains
at risk as well, if you do something wrong... The UG to use can either be
the Enterprise Admins group or any other UG you assign for the
task.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Dienstag, 13. April 2004 22:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each
domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant "domain admin-level" rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice.
Thanks!
Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
|
- RE: [ActiveDir] enterprise-wide accounts joe
- RE: [ActiveDir] enterprise-wide accounts Depp, Dennis M.
- RE: [ActiveDir] enterprise-wide accounts Cary, Mark
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Mike Celone
- RE: [ActiveDir] enterprise-wide accounts Matjaž Ladava
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Celone, Mike
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Creamer, Mark