Local admin group?

Archived from groups: microsoft.public.win2000.security (More info?)

We have an AD domain where other offices join the domain via VPN. My problem
is in administrators. I need to give one or 2 people at each office the
ability to have administrator priv's on all local 2k machines for the
purpose of updates but I don't want them to have admin rights on our
servers.

My first thought was "domain admin" but that is part of the Administrators
group.

By default, with Windows 2000, when you join a domain, domain admins and
administrators has local admin rights on that computer to do things such as
"Windows Updates", change network settings, add programs etc. You can't
just create a group called Local Domain Admin then add them as a user
account with admin rights because you can't add groups... only users locally
on each station.

I thought of removing domain admins from the administrators group on the
domain and adding those users from each office to the domain admin but I'm
not sure that it would be the right approach or would work.

Does anyone have any ideas?

Thanks,
Dan
DanTindell@Hotmail.com
4 answers Last reply
More about local admin group
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You could create the group on the DC add the users to it. Then go to the
    workstations and add that group to the local admin group.
    "Dan Tindell" <DanTindell@Hotmail.com> wrote in message
    news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
    > We have an AD domain where other offices join the domain via VPN. My
    problem
    > is in administrators. I need to give one or 2 people at each office the
    > ability to have administrator priv's on all local 2k machines for the
    > purpose of updates but I don't want them to have admin rights on our
    > servers.
    >
    > My first thought was "domain admin" but that is part of the Administrators
    > group.
    >
    > By default, with Windows 2000, when you join a domain, domain admins and
    > administrators has local admin rights on that computer to do things such
    as
    > "Windows Updates", change network settings, add programs etc. You can't
    > just create a group called Local Domain Admin then add them as a user
    > account with admin rights because you can't add groups... only users
    locally
    > on each station.
    >
    > I thought of removing domain admins from the administrators group on the
    > domain and adding those users from each office to the domain admin but I'm
    > not sure that it would be the right approach or would work.
    >
    > Does anyone have any ideas?
    >
    > Thanks,
    > Dan
    > DanTindell@Hotmail.com
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    No don't remove the domain admins group from the administrators group for
    the domain. Create a global group of users to add the local administrators
    group of the domain workstations. You can do that using Group Policy and
    "restricted groups" at the Organizational Unit level where the domain
    computer accounts reside. Note that you do NOT want to do it at the domain
    level or they will end up being domain administrators. Using restricted
    groups works well but it will remove all current users in the local
    administrators groups [except built in admin] and replace it with what you
    define in restricted groups. Otherwise you can use Group Policy "startup"
    script and the net localgroup command to add the global group to the local
    administrators group on the affected computers. The link below may
    elp. --- Steve

    http://www.jsiinc.com/SUBK/tip5300/rh5319.htm

    "Dan Tindell" <DanTindell@Hotmail.com> wrote in message
    news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
    > We have an AD domain where other offices join the domain via VPN. My
    > problem is in administrators. I need to give one or 2 people at each
    > office the ability to have administrator priv's on all local 2k machines
    > for the purpose of updates but I don't want them to have admin rights on
    > our servers.
    >
    > My first thought was "domain admin" but that is part of the Administrators
    > group.
    >
    > By default, with Windows 2000, when you join a domain, domain admins and
    > administrators has local admin rights on that computer to do things such
    > as "Windows Updates", change network settings, add programs etc. You
    > can't just create a group called Local Domain Admin then add them as a
    > user account with admin rights because you can't add groups... only users
    > locally on each station.
    >
    > I thought of removing domain admins from the administrators group on the
    > domain and adding those users from each office to the domain admin but I'm
    > not sure that it would be the right approach or would work.
    >
    > Does anyone have any ideas?
    >
    > Thanks,
    > Dan
    > DanTindell@Hotmail.com
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    You are not well served by using Domain Admins for
    anything except what it is intended for - managing the
    domain. This group has broad scope of capabilities and
    use of account that are members in it should be restricted.

    Your observation that you cannot define a Local Admins
    group and add it to Administrators implies that you are
    letting people use machine local accounts instead of only
    using domain accounts. If you have them use domain accounts
    then you can group them into a domain local security group
    and have this added to the machine local Administrators group.

    I would highly recommend to you that you do not make the
    accounts of those one or two people at each site special.
    Their account should be as limited as any other persons'
    account at that site - able to do what they need to for their
    day to day activities.
    Instead, make available an account that is an admin for the
    use of those one or two people when, and only when, they
    need to do something that requires those capabilities. Also,
    audit and monitor the login/logoff events of those empowered
    accounts to make sure that they are being used only when
    needed and in appropriate ways.
    One can manage the machine local Administrators group for
    all machines in an OU by use of a Restricted Group definition
    in a GPO linked to the OU - if and only if the membership in
    all of those machines is to be exactly the same. Otherwise
    you can use a startup script that checks for membership of
    specific account or group in the machine local Administrators
    group and if not present adds it/them.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Dan Tindell" <DanTindell@Hotmail.com> wrote in message
    news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
    > We have an AD domain where other offices join the domain via VPN. My
    problem
    > is in administrators. I need to give one or 2 people at each office the
    > ability to have administrator priv's on all local 2k machines for the
    > purpose of updates but I don't want them to have admin rights on our
    > servers.
    >
    > My first thought was "domain admin" but that is part of the Administrators
    > group.
    >
    > By default, with Windows 2000, when you join a domain, domain admins and
    > administrators has local admin rights on that computer to do things such
    as
    > "Windows Updates", change network settings, add programs etc. You can't
    > just create a group called Local Domain Admin then add them as a user
    > account with admin rights because you can't add groups... only users
    locally
    > on each station.
    >
    > I thought of removing domain admins from the administrators group on the
    > domain and adding those users from each office to the domain admin but I'm
    > not sure that it would be the right approach or would work.
    >
    > Does anyone have any ideas?
    >
    > Thanks,
    > Dan
    > DanTindell@Hotmail.com
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "Dan Tindell" <DanTindell@Hotmail.com> wrote in message
    news:OKgfawA9EHA.3828@TK2MSFTNGP09.phx.gbl...
    > We have an AD domain where other offices join the domain via VPN. My
    problem
    > is in administrators. I need to give one or 2 people at each office the
    > ability to have administrator priv's on all local 2k machines for the
    > purpose of updates but I don't want them to have admin rights on our
    > servers.

    There are a couple of workable ways to do this:

    1) User a restricted Group assigned to an location speficic
    OU or maybe even a Site (although I have never tested
    the idea of using the Site for this).

    2) Manually add them on each station -- if you wish to
    automate this you could build the Group on the domain,
    e.g., CityAdmins, EastCoastAdmins, and then make
    sure it is in the Administrators group of each machine
    through a Startup script (running as the system account,
    you can't do this from Logon scripts reliably.)

    #1 is the "right way" but it implies you have organized
    your OUs by locations unless the Site idea works.

    The Site idea will definitely work for #2 BUT you
    must also remember to REMOVE the location admins
    if the machine is ever moved to another location/Site.

    > My first thought was "domain admin" but that is part of the Administrators
    > group.
    >
    > By default, with Windows 2000, when you join a domain, domain admins and
    > administrators has local admin rights on that computer to do things such
    as
    > "Windows Updates", change network settings, add programs etc. You can't
    > just create a group called Local Domain Admin then add them as a user
    > account with admin rights because you can't add groups... only users
    locally
    > on each station.

    Of course you can add Groups on each workstation,
    but you must do it locally at each work station.

    > I thought of removing domain admins from the administrators group on the
    > domain and adding those users from each office to the domain admin but I'm
    > not sure that it would be the right approach or would work.

    No, as everyone else indicated do NOT remove
    Domain Admins.
Ask a new question

Read More

Domain Microsoft Windows