I have used restricted groups before and would be not be keen to use them on servers.
Further discussions with the client and he revealed it was a "hypothetical" from HR as to whether or not it could be done. Thanks for all the suggestions. Graeme On 10 June 2010 16:55, Alan Davies <[email protected]> wrote: > First - do not use Restricted Group on your servers without understanding > it. You'll most likely strip out every service account in one quick step > and break your entire business!! > > Second - yes, you can just create a domain group and have that added to > local Administrators groups on every server via GPO (could be a script, > could be Restricted Groups ... latter a better option, but see earlier > warning!). > > However, if you're looking at a user and they're not a Domain Admin but > you're worried they could possibly have admin on servers or on AD services, > you're out of luck. There are a million sneaky ways they could have added > themselves or a sneaky group to various ACLs on servers, in AD, in all sorts > of devious places. > > If you're hugely concerned and they need to still have access for some > time, create a new account with no privs and have them use that once you've > disabled the other account. It's the only way. However .. if they know > service account passwords, etc., then they can get access back that way too > ... > > > > a > > ------------------------------ > *From:* Graeme Carstairs [mailto:[email protected]] > *Sent:* 10 June 2010 14:57 > > *To:* NT System Admin Issues > *Subject:* Re: Heres a weird one - customer wants to give domain admin > rights to non domain admin group members. > > yeh thats what I thought. > > I think they are wanting to make sure that if someone had the > admin account they couldn't set themselves up with full domain admin rights, > without having the account in the domain admin and local admin groups. > > Its a security check thing, i think they are preparing to remove someone or > someone is leaving who had domain admin rights on a second admin account and > want to be sure they haven't set anything else up. > > Ill check the GPO's > > Graeme > > On 10 June 2010 14:52, James Rankin <[email protected]> wrote: > >> or do you mean have admin rights without belonging to the local >> administrators group? You could easily give them all permissions and user >> rights normally restricted to Administrators, but that would kind of defeat >> the entire object of having the administrators group in the first place. >> >> >> On 10 June 2010 14:47, Graeme Carstairs <[email protected]> wrote: >> >>> I have been asked by a customer if on their 2003 AD domain it is possible >>> for someone to have admin rights to the servers and not be a member of >>> domain admins. >>> >>> and local admin groups on member servers. >>> >>> Any one know if it can be done >>> >>> Graeme >>> >>> >>> -- >>> Good news everyone, you have just received and e-mail from me! >>> >>> >>> >>> >>> >>> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> > > > -- > Good news everyone, you have just received and e-mail from me! > > > > > > > ************************************************************************************ > > WARNING: > > The information in this email and any attachments is confidential and may > be legally privileged. > > > > If you are not the named addressee, you must not use, copy or disclose this > email (including any attachments) or the information in it save to the named > addressee nor take any action in reliance on it. If you receive this email > or any attachments in error, please notify the sender immediately and then > delete the same and any copies. > > > > "CLS Services Ltd × Registered in England No 4132704 × Registered Office: > Exchange Tower × One Harbour Exchange Square × London E14 9GE" > > > > > > > > -- Good news everyone, you have just received and e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
