Yeah as Brian mentioned, in larger implementations, it almost certainly not the domain admins that are managing servers and workstations, the DAs focus on the DCs and domains as a whole and local admins deal with members and workstations. In fact, in a large large org, you will often see one set of admins dealing with workstations and one set of admins dealing with servers PER building with hundreds of buildings. Some may say, well that makes no sense. But it does if the building has some 8000 users in it and is part of an org with hundreds of thousands of users.
I often have told people to even remove Domain Admins from their local admin groups just to help cut down on accidents made by the DAs. Of course the DAs could get the access back anytime they want, but they would have to put an effort into it so it isn't any kind of a security barrier, just an accident barrier. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, October 03, 2005 11:16 PM To: [email protected] Subject: Re: [ActiveDir] AD Question for your peers-GPO Uh guys? Can I be annoying and ask a stupid question here? "Could you check with your peers about how we could define a group policy that would add a universal group or global group automatically into the local admin group of computers into a specific OU? I remember reading that this is possible, but I can't find any documentation about it." Yes it can be done, but let's step back a bit. Why do you need local admin? And especially on member servers? Forgive me...but in my network this is one of the worst ways you can set up your workstations. This means that the stupidest person on the planet in your office can infect your entire network. You really want that? If you are doing this because some stupid line of business app says "we won't support you unless you run as local admin on the desktops" [aka Quickbooks in my office] use Filemon and Regmon to figure out the perms to adjust and hack that registry/file perms to get the stupid app to work in standard user/LUA. http://www.sbslinks.com/lua2.htm Even if you aren't willing to do that.. if you are doing this for the benefit of some app that says "you need local admin access" please give me the name so I can post it on the www.threatcode.com web site. We've got to get vendors ready for Vista's LUA/UAP stuff. Brian Desmond wrote: >Cool. I haven't used resricted groups really since it was introduced >originally. I vaguely recall heaing something about this though. > > >Thanks, >Brian Desmond >[EMAIL PROTECTED] > >c - 312.731.3132 > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >[EMAIL PROTECTED] >Sent: Monday, October 03, 2005 9:58 PM >To: [email protected] >Subject: RE: [ActiveDir] AD Question for your peers-GPO > >Brian, > >the "wipe and load" behavior is a thing of the past with the >introduction of the new "MemberOf" attribute. Here's a short reply I >posted on another list a while back. > >Another option is to use the "MemberOf" option in a "Restricted Groups" GPO. >Say the group is called GrpA and you want it to be a member of the >administrators group in every client in ClientsOU. You will create and >apply a group policy to ClientsOU. In that policy, you will create a >restricted group object, by adding GrpA. Then in the properties, you >will choose the "this group is a member of:" and type in "administrators". > >By doing the above, the existing members of the "administrators" group >are not removed. The process will simply append GrpA to the membership >list on "administrators". > >HTH > > >Sincerely, > >Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I >Microsoft MVP - Directory Services >www.readymaids.com - we know IT >www.akomolafe.com >Do you now realize that Today is the Tomorrow you were worried about >Yesterday? -anon > >________________________________ > >From: [EMAIL PROTECTED] on behalf of Brian Desmond >Sent: Mon 10/3/2005 4:14 PM >To: [email protected] >Cc: '# Jose Medeiros-IBM (E-mail)' >Subject: RE: [ActiveDir] AD Question for your peers-GPO > > > >Yes. You want to use the Restricted Groups function in the computer >config area. Be aware it is a replacement not a merge, so, things >already in there will get blasted > > >Thanks, >Brian Desmond >[EMAIL PROTECTED] > >c - 312.731.3132 > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose >Sent: Monday, October 03, 2005 4:12 PM >To: [email protected] >Cc: # Jose Medeiros-IBM (E-mail) >Subject: [ActiveDir] AD Question for your peers-GPO > > >We have three child domains off our root domain and basically we want >to add a global or universal group ( We are in Native mode on AD 2003) >to the local admin group on member servers & workstations in a child >domain, every time a new computer account is to AD. Is this possible using a GPO? >( Please read the message below ) > >Jose :-) > > > >> -----Original Message----- >>From: Ebias, Danilo >>Sent: Monday, October 03, 2005 11:57 AM >>To: Medeiros, Jose >>Subject: AD Question for your peers >> >>Jose, >>Could you check with your peers about how we could define a group >> >> >policy that would add a universal group or global group automatically >into the local admin group of computers into a specific OU? I remember >reading that this is possible, but I can't find any documentation about it. > > >>Thanks, >>dan >> >>Danilo Ebias, Jr. >>ADP | National Account Services >>ProBusiness Division | Information Services >>925.737.7035 >> >> >> > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
