It sounds to me like you may have issues with rights delegation. Ideally you should not be using the administrators group to assign permissions to perform specific tasks. Instead, you should use domain based groups that have been assigned specific AD rights or specific localized privileges. For example, if you have someone involved in your web applications that should have admin on the 10 servers for web apps but not for any other server in the organization, you construct a group called "IT - WebApp Admins" which is by default assigned no rights at the AD level. You login to the 10 servers or whatever that make up the administrative scope for this privilege and assign this new group administrator rights locally.
This can be more time consuming to implement but is a far more granular implementation of rights in the long term. Now as far as specifically locking out an administrator irregardless of admin rights that may already be assigned is through one of two methods. Either the local security policy (pre-vista) or the assignment of security policy through a GPO (nearly any windows OS in a domain environment). You need to deny logon locally and/or deny logon through the network. The only other thing you need to consider here is that your RDP rights assignment for a given machine may include blanket permissions for administrators group. You will want to look at that. As far as disabling a computer is concerned, are you looking to physically disable it so it will not turn on or simply remove it from network use? At the present time, I am guessing the latter but in either case there is no way to authoritatively do either without moving beyond MS/Windows environment and work on the network switch. In a Server 2008 environment with appropriate hardware, the answer for the latter is excersizing Network Access Protection (NAP) which one would hope was already in your network infrastructure. NAP: http://technet.microsoft.com/en-us/network/bb545879.aspx Wayne S. Anderson http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 30, 2007 12:19 AM To: [email protected] Subject: Active Directory What is the easiest way to lock an lower level administrator from using the PC via Active Directory? When disabling a computer what else can be done with out having to block the IP address or MAC to make sure the PC does not get on the network and or changed the computer name?
