a
_
From: Graeme Carstairs [mailto:loonyto...@gmail.com]
Sent: 10 June 2010 14:57
To: NT System Admin Issues
Subject: Re: Heres a weird one - customer wants to give domain admin rights
to non domain admin group members.
yeh thats what I thought.
I think they are wanting
>
> --
> *From:* Graeme Carstairs [mailto:loonyto...@gmail.com]
> *Sent:* 10 June 2010 14:57
>
> *To:* NT System Admin Issues
> *Subject:* Re: Heres a weird one - customer wants to give domain admin
> rights to non domain admin group members.
&g
7
To: NT System Admin Issues
Subject: Re: Heres a weird one - customer wants to give domain admin
rights to non domain admin group members.
yeh thats what I thought.
I think they are wanting to make sure that if someone had the admin
account they couldn't set themselves up with full domain ad
yeh thats what I thought.
I think they are wanting to make sure that if someone had the
admin account they couldn't set themselves up with full domain admin rights,
without having the account in the domain admin and local admin groups.
Its a security check thing, i think they are preparing to rem
or do you mean have admin rights without belonging to the local
administrators group? You could easily give them all permissions and user
rights normally restricted to Administrators, but that would kind of defeat
the entire object of having the administrators group in the first place.
On 10 June
Easily, with restricted groups GPO. Just add another group to local
Administrators group on the target server(s). We do this for servers that
require some level of third-party support, although we keep their accounts
limited to certain date periods.
On 10 June 2010 14:47, Graeme Carstairs wrote:
Yes,
Restricted Groups... Scope the GPO to the Location in AD in which the
servers reside ( Usually a Servers OU accordingly). They will be local
administrators on those servers but not a Domain Admin.
Without knowing much else about the situation, Id even say that is way
too much rights,