They replace the contents completely - we simply have Domain Admins, the local admin account and the relevant server admin group specified in the GPO
2009/3/24 Eisenberg, Wayne <[email protected]> > So Restricted Groups add to the local group, not replace the entire > contents of the local group? > > > > ------------------------------ > *From:* James Rankin [mailto:[email protected]] > *Sent:* Tuesday, March 24, 2009 4:40 AM > *To:* NT System Admin Issues > *Subject:* Re: How many domain admins do you have? > > Group your servers into GPOs such as Citrix Servers, Exchange Servers, etc. > , create a group called Citrix Server Admins or whatever, and use Restricted > Groups to add that group to local Administrators for the servers in that OU. > Users are then added to the relevant server admin group and inherit admin > rights to the group of servers. > > 2009/3/23 Eisenberg, Wayne <[email protected]> > >> I'm curious - how do you do that with GPOs? >> >> Wayne >> >> ------------------------------ >> *From:* James Rankin [mailto:[email protected]] >> *Sent:* Monday, March 23, 2009 11:57 AM >> *To:* NT System Admin Issues >> *Subject:* Re: How many domain admins do you have? >> >> Only those who require Domain Administrator rights get them (those who >> work extensively on AD). Everyone else has their server admin rights limited >> via GPO to subsets of machines. We have custom groups for Exchange Server >> Admins, Citrix Admins, VirtualCenter admins, SQL admins, WebSense admins - >> on and on it goes. >> >> Even the high-level guys have an ordinary account for normal work and an >> elevated admin account to be used when needed. I would guess that most >> Domain Admin access in our AD is held by service accounts, rather sadly, >> although these accounts can not log on interactively, so their use is >> limited that way. >> >> 2009/3/23 David Lum <[email protected]> >> >>> General poll: How many Systems Engineers do you guys have and how many >>> of them are domain administrators? If you don’t want to divulge specifics >>> then percentages would work. For us we’re at about 13 DA’s / 13 SE’s, >>> although I think we should be closer to say, 4/13. >>> >>> >>> >>> Comments? >>> >>> *David Lum** **// *SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 *// *(Cell) 503.267.9764 >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> >> >> >> >> >> > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
