The restricted group GPO won't take effect on the regular refresh schedule, because the GPO itself will not have changed... IIRC it will take closer to one day to notice that the once-compliant local group is out of whack.
I think I'd just use a domain group nested into the machine's builtin\administrators, and make sure to set a reminder to clear that group after a little while. Of course that's still assuming the users won't give themselves extra access in the meantime. --Steve On Fri, Jan 4, 2013 at 11:42 AM, Crawford, Scott <[email protected]> wrote: > Better suggestions have already been given, but I’ll throw this out as a > possibility. Use restricted groups in a GPO to set who should normally be an > admin. Then when the dev needs admin, add them to the administrators group > on the local machine. Once they’re logged in, they’ll have the admin SID in > their token and will be able to stay logged in as long as necessary. But, > within 45 minutes, the GPO refreshes and removes them from the group. > > > > From: David Lum [mailto:[email protected]] > Sent: Friday, January 04, 2013 9:40 AM > > > To: NT System Admin Issues > Subject: Occasional local admin needed > > > > How would you guys handle this? I have a server that the developers use that > they occasionally (once a month or so) need local admin access for to > install/upgrade an app or feature they use. This is a new-ish server that > previously I have just added a user (it’s the same one each time) to the > local admin group then a week later took them out, but that’s cumbersome and > I become the single point of failure on remembering to back them out. > > > > I could 1. create a special AD account for this user to be local admin, or > 2. create an AD group, put this person in it, then GPO that group into > local admins on that server. > > > > Suggestions? > > David Lum > Sr. Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
