RE: [ActiveDir] enterprise-wide accounts

[Celone, Mike]

Thanks for correcting me on this.  I would much rather use restricted groups than have the script I run everytime the machine is booted up.    Mike From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Mike, the functionality recently changed, that was a subject of a conversation on this list. Many of us were quite happily surprised to learn of the change.   ------------- http://www.joeware.net   (download joeware) http://www.cafeshops.com/joewarenet  (wear joeware)       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 13, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts > won't Restricted groups remove any groups that are in the administrators group > now except for the ones you specify?   not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Celone Sent: Mittwoch, 14. April 2004 00:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here.  We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up.  The script looks like this   net localgroup administrators /add "domain\admins"   Just create a UG for all the admins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group.  If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group.   Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify?   Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 13, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group.   a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong...  The UG to use can either be the Enterprise Admins group or any other UG you assign for the task.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Dienstag, 13. April 2004 22:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant "domain admin-level" rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice.   Thanks!   Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do