On 7/19/2017, 11:57:57 AM, Pedro <[email protected]> wrote: > Tanstaafl wrote >> When you join a machine to a domain, the 'Domain Admins' group is >> automatically added to the Local Administrators group on the computer >> that was joined. It has been this way forever (as long as I can >> remember), and is extremely useful, and is simply not a 'security issue' >> as you suggest. > > Actually that is not true.
Actually, yes it is. > At my workplace I have to manually add the domain admin to the PC's > admin group on each computer I didn't say it added a 'Domain Admin' user, I said it adds the 'Domain Admins' GROUP (so that any member of that group automatically gets local admin rights on the PC when logging in). I leverage this behavior in my domain to allow me to quickly allow certain users to have Local Admin privileges by defining a 'Local Admins' group, and also adding that Group to the local 'Administrators' group on the PC when it is joined. Then all I have to do is add a user to that group, and they automatically get Local Admin Rights on their workstation. Caveat: you must be careful, because by default, lots of network shares automatically assign the 'Administrators' Group with full access, and a bug in Windows doesn't differentiate between the DOMAIN 'Administrators group and the LOCAL PC 'Administrators' group. > Maybe some setting was misconfigured by our IT Since this is the default, then yes, something is broken for your domain - whether accidental, or some misguided 'admin' wannabe decided to be 'clever' and disable this essential/default behavior. > but my point is you should not assume everything everywhere works as > you think it does. Actually, it make perfect sense to ass-u-me that a system is functioning correctly, so that someone can learn that it isn't, just as you have now learned in this discussion. -- To unsubscribe e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
