Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I want all my users to be just users to the domain, but I want the users to be full administrators of the local workstations. I figured that whenever I create them and make them part of the Domain Users, they have limited access to the workstations as well and going to each of my workstations and making "Domain Users" as Administrators is such a hassle and plus I need some users to have restricted access to the workstation as well, so I made all the users who I want to have local access admin domain admins, where as they are now all administrators to their workstations without the need of adding the setting to each of the workstations.
Now, the weird part is this. The users can now log into the domain controller and the exchange server as well and even on their local machine, they can mess with the active directory settings and group policy all becuase I set all my users to be domain admins. If a user logs into the server under their name, they can now access the shared resources on the server hard drives, change the permission settings and then mess with the data.
Now, either how do I restrict Domain Admins and set only the Domain Server Administrator as the full administrator, OR, how do I make a certain group a full administrator of the the local workstation but cannot log into the server? It seems that once a workstation joins the domain, only the domain admins are the full administrator of the local workstation.
Kute Punk Kay Pee Kay Tee Pren Tiss Kute Punk Kay Pee Kay Tee Pren Tiss
Now, the weird part is this. The users can now log into the domain controller and the exchange server as well and even on their local machine, they can mess with the active directory settings and group policy all becuase I set all my users to be domain admins. If a user logs into the server under their name, they can now access the shared resources on the server hard drives, change the permission settings and then mess with the data.
This is not weird, this is normal. When you make a user a member of the Domain Administrators group you're giving them that kind of access. You need to have a serious look at what the domain users group is and what it does. In fact, I think you need to do a whole lot more reading and research before you begin setting up and/or administering a domain. Not to be rude but I can tell from your question your definately lacking in knowledge.
I'm not sure why you want to give users access to the local administrators account on the PC's but if I were going to do that (and I most definately would NOT!) I would make them members of the local administrators group on each PC.
Look, common sense states you don't want users to be able to mess with the computers they work on. If you allow it, they'll be installing all kinds of software they should not be and inviting all kinds of problems into your network and domain.
Most companies use images that are preloaded with the software employees need to do their jobs. And only that software. They also have a technician (or two or however many they need to get the job done) who have access to the local admin group to troubleshoot problems and make changes.
Also, there are many different ways to remotely deploy software to desktops within a domain without ever allowing users to install software.
Again, I can't stress enough how important it is to know what you're doing before you start doing it.
0 
Ditto what Curt said. For Security reasons, making the users Domain Admins is just plain and simple a very BAD and (pardon my lack of subtlty) stupid idea.
Life's more painless for the brainless.
0
I think you need to do a whole lot more reading and research before you begin setting up and/or administering a domain. Not to be rude but I can tell from your question your definately lacking in knowledge.
^ I believe you are totally wrong here. I DO know how to manage a server system, I have been managing them for years, I just want the users to have full computer access.
Them being restricted user on their OWN computers is just plain stupid, not adding users who don't know how to hack a domain as domain administrators.
That's just my opinion. Don't argue with me anymore up to this point. (Not Trying To Be Rude)
I understand that adding the users as a domain administrator is a security issue, but I just want to be able to set a certain group of users to be an administrator to the local workstation and NOT the domain. How do I do that?
Kute Punk Kay Pee Kay Tee Pren Tiss Kute Punk Kay Pee Kay Tee Pren Tiss
0
Curt is certainly NOT lacking in knowledge. You are Ms. Katie Prentiss. Any responsible Enterprise Admin knows that regular users should not be given elevated privileges unless absolutely necessary, and NEVER given Domain or Enterprise Admin. If you've been administering servers for "years" you should know this.
You should also know how to add a Group to the Local Admin account without asking.
Of course, if Security is not an issue for your Company/Corporation, and they don't mind sharing all their information/corporate business with the public, and if they want to open up the network to the hackers/crackers/virus writers of the world, then have at it. Just add ALL your users to the Enterprise Admin group, sit back, and wait for the fun to begin.
Life's more painless for the brainless.
0
I think this is what you're looking for:
What you do is create a workstation admin group (security group) in active directory. Add the users to the workstation admin group. Apply that group to the local group either visiting each station or through group policy. The users can do want they want to their pc but not access exchange or the DC.
IT TECH, mastered front-end infrusture, working on improving back end infrusture.
0
Jennifer SUMN, The names Katie Prentice, not Katie Prentiss.
haha!!!
mathamatical, I will try to see weather I can do what you said. Now where specifically do I need to go in the group policy to add a group to the admin of the local workstation?
Kute Punk Kay Pee Kay Tee Pren Tiss Kute Punk Kay Pee Kay Tee Pren Tiss
0
Well Kay Tee, I'll side with Curt on this. If you don't understand why adding them to Domain Admins also allows them to log on to the domain controller and modify AD, they yes, you do have some things to learn. Users should absolutlely not be domain admins. Period. So I would change that immediately.
You can do what you are looking to do fairly easily. You can run a startup scipt (not a logon script) to do what you want. This must be a startup script that you can define in a group policy in Active Directory. This won't work as a logon script because it will not have the proper permission.
Lets say you wanted the users in PCAdmins to have local admin access to all PCs. You would reate a startup script like the following...
net localgroup Administrators "PCAdmin" /add
This command would add the PCAdmins group from AD to the local administrators group of whatever computers (OU) you applied the policy to. The good part is even if someone goes in and removes them from the Administrators group, a reboot of the PC would just add it back in again.
Good luck.
0
Well Glen, I do understand that when I add the user as a domain admin, then the user will be able to gain full access to the domain, I only changed that setting because NONE of my users know how to work a domain like me lol! Some of my restricted users are set to domain users, who have restricted access both to the domain as well as the local computer. I am just surprised that they can log into the server because the moment i added them to the domain admin, i logged into the server and it said access denied and i thought, yeah iff they cant get access to the server, i'll just set them as domain admin but now i am finding out that they could, so i will change that. at least i just learned something new.
anyways about the startup script, isn't there a certain place in group policy where i can define who should be an admin of the local computer or is creating a startup script the only way?
Kute Punk Kay Pee Kay Tee Pren Tiss Kute Punk Kay Pee Kay Tee Pren Tiss
0
You need a script that runs on each specific computer. The script is the only way I know to automate it other than doing it manually at each machine.
0
Here's what I'd do:
1. Create a global security group for users who you want to have local administrator access on a workstation.
2. Add the appropriate users to the group you created in Step 1. DO NOT add them to Domain Admins, Enterprise Admins, Schema Admins or the like... even if they "don't know how to work a domain like I do", there could be malicious software out there that might know.
3. Create a new Group Policy Object and configure the Computer Settings > Windows Settings > Restricted Groups. Set up the Administrators group as you would like it to be on a workstation (i.e. add the group you created in Step 1 to the Administrators group here).
4. Apply the new GPO to the workstations.
0
Matt Dean, can I do this in the Group Policy itself where whenever the user starts up the computer, the computer then loads the policy on startup?
Also, what if I want this setting to not be set on one computer, like a terminal server, where I don't want them to be administrators of the terminal server since I don't want setting to be saved on the terminal server or simply viruses to get into it by the users.
If I set the users to be administrators of a computer, then if I want to NOT let them be an administrator of ONE computer, how will I do that?
Kute Punk Kay Pee Kay Tee Pren Tiss Kute Punk Kay Pee Kay Tee Pren Tiss
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
