Jump to content

Active Directory question....

saint_stevo

By saint_stevo
in Technology Chat

 Share

Recommended Posts

saint_stevo

saint_stevo

Posted
Posted

In W2k3

 

I give a user 'Administrators' rights and they still have limited accounts, they only seem to have full rights if they are given 'Domain Admin' rights, which obviously isn't an idea situation.

 

Any ideas why?!

exit2

exit2

Posted
Posted
In W2k3

 

I give a user 'Administrators' rights and they still have limited accounts, they only seem to have full rights if they are given 'Domain Admin' rights, which obviously isn't an idea situation.

 

Any ideas why?!

 

Steve are you doing this at top level of the "site" if so why? You can assign users admin rights on various parts of the ous / containers etc etc. What are actually trying to do? But like you say giving them admin rights is a bad move

saint_stevo

saint_stevo

Posted
  • Author
Posted

yeah certain users need admin rights to do certain things. Have tried adding them to the administrators security group but still get limited rights. Have tried setting up new security groups with admin rights and assign that to an o.unit but still only get limited rights.....

badgerx16

badgerx16

Posted
Posted

It is not a good idea EVER to give a user 'Domain Admin' membership, it is a grouping intended only for fixing things when the network / domain really screws itself up. One problem is that no domain management or security policy / profile can ever apply to a D-A member. Also, some systems, such as CITRIX servers, can get really upset when trying to apply their own profiles to a D-A user.

 

Always work on the 'rule of least privilege', give them only sufficient to do what they need to do; there are, I think, about 20,000 combinations of privilege setting in a W2K domain, so you are sure to find something appropriate.

badgerx16

badgerx16

Posted
Posted

1) How many client PCs, and what O/S ?

 

2) Are any of these articles of use ?.....

 

http://searchwindowsserver.techtarget.com/news/article/0,289142,sid68_gci1065698,00.html

 

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

 

http://community.scriptingprovip.com/forums/146958/ShowThread.aspx

 

http://blogs.technet.com/heyscriptingguy/archive/2004/10/08/how-can-i-add-a-domain-user-to-a-local-administrators-group.aspx

badgerx16

badgerx16

Posted
Posted
so i need to write a script to grant local admin? seems a bit arse about face....

 

500 client P.C's, XP and 2000 in a 2003 environment

 

Micro$haft Windoze is never straight forward. As Shane_SFC says, Privilege Manager is a good way to control admin rights, it is one of the things I know we are currently looking into - I will ask a couple of my techies for their advice about other options.

badgerx16

badgerx16

Posted
Posted

We are apparently using the resticted groups approach, applying policies to PC based groups in the AD, and adding 'local administrator' access for privileged user groups to the computer groups as appropriate.

saint_stevo

saint_stevo

Posted
  • Author
Posted
We are apparently using the resticted groups approach, applying policies to PC based groups in the AD, and adding 'local administrator' access for privileged user groups to the computer groups as appropriate.

 

Was hoping to be able to apply rights at user rather than computer level....hmmm

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...