Create a domain group called IT Local Admins and add the domain IT Admin accounts you create to it. Then add that group to the computers using restricted groups. Remember, restricted groups REPLACES everything in the local admin group when you apply that GPO. It does not add...it replaces.
From: David Lum [mailto:[email protected]] Sent: Tuesday, July 19, 2011 1:32 PM To: NT System Admin Issues Subject: RE: non-local admin revisited A local admin account? So 50 IT folks would have 50 different local admin accounts? Other than the deny log on locally what keeps them from creating an admin account while logged in as admin? Win 7 makes alternate credentials easy enough at least... Dave. From: Kennedy, Jim [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, July 19, 2011 10:20 AM To: NT System Admin Issues Subject: RE: non-local admin revisited +1 From: Don Ely [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, July 19, 2011 1:19 PM To: NT System Admin Issues Subject: Re: non-local admin revisited Provide them with an admin account and show them how to use "run-as"... I also disable logon locally where I can get away with it so they don't cheat... On Tue, Jul 19, 2011 at 10:10 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: How do you bigger org's handle IT staff (DBA's and the like) not being local admins on their systems? Invariably they are used to throwing on whatever they want and in some ways this helps the Help desk so they're not called to install stuff the user can install. As we move to Windows 7 my recommendation is to yank local admin perms at the same time (yes everyone is local admin on their XP systems currently), but I foresee pushback from Service Desk and IT folks... David Lum Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
