On Sat, 27 Sep 2003, Chris Smith wrote: > On Saturday 27 September 2003 15:00, John H Terpstra wrote: > > On each workstation make the Domain Admins group a member of the local > > Administrators group. > > John, I'm missing the point here as this shouldn't be necessary at all. The > only reason to add someone to the local Administrators group (outside of > using the system w/o DC control) would be to elevate an individual with less > then admin privileges granted by the DC to full admin privileges on a per > system basis. Domain Admins should automatically be granted admin privileges > on any system relying on the DC for authentication.
Chris, The only way that a domain user can gain admin priviliges ona domain member workstation is through domain users or domain groups being made members of a local workstation group that has sufficient rights and privilige to do what needs to be done. You are correct that the Domain Admins group should automatically become a member of the local Administrators group when a workstation or server becomes a domain member. Normal users are of course not members of the Domain Admins group by default. By default a normal domain user has no rights on a workstation except as permitted by the permissions and rights afforded by whatever group the domain user is in, and the resulting rights that user has on the workstation. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
