Hi all,

In our freshly installed Windows 2003 AD I know I will, for political
reasons, be forced to give some of our users Administrator access to thier
Workstations/PCs.

If I create a group say "Workstation Local Admins" (WLA) and put it together
with Domain Admins into the restricted group
BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
put into WLA will become local administrator on every machine they log on
to, right?

There is a problem with this approach I think. Every WLA user will also
become administrator on all the other WLA users machines.
This might be restricted by assign which machines the user is allowed to
logon to.

So far I have come up with three ways/paths to try:

1.
This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
great speach btw) is to create at GPO for every user.
This will solve the problem I am addressing but in a rather...messy way (as
JM also pointed out).
The good thing thou is that all users who are Administrators will be
documented.
A downside is that there might be many GPOs and that the user will be local
administrator one every machine he/she logs on to.

2.
I was also thinking of something like this:
Pseudocode:
IF %USERNAME% MEMBEROF("Local Admins") THEN
NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
END IF

....but... at startup/logon isn't it to late to do this? And at startup
%username% is = what? SYSTEM?

3.
A nother solution might be to block the general GPO that assigns Domain
Admins in Administrators and then manuallt administer every users computer
and
keep some sort of dokumentation. Downside: the user can remove Domain Admins
from Administrators and I lose control...


Does any of you guys have a better/good solution?

Regards,

..Rikard

correct

Philip Nunn

"Rikard N" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi all,
>
> In our freshly installed Windows 2003 AD I know I will, for political
> reasons, be forced to give some of our users Administrator access to thier
> Workstations/PCs.
>
> If I create a group say "Workstation Local Admins" (WLA) and put it
together
> with Domain Admins into the restricted group
> BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
> put into WLA will become local administrator on every machine they log on
> to, right?
>
> There is a problem with this approach I think. Every WLA user will also
> become administrator on all the other WLA users machines.
> This might be restricted by assign which machines the user is allowed to
> logon to.
>
> So far I have come up with three ways/paths to try:
>
> 1.
> This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
> great speach btw) is to create at GPO for every user.
> This will solve the problem I am addressing but in a rather...messy way
(as
> JM also pointed out).
> The good thing thou is that all users who are Administrators will be
> documented.
> A downside is that there might be many GPOs and that the user will be
local
> administrator one every machine he/she logs on to.
>
> 2.
> I was also thinking of something like this:
> Pseudocode:
> IF %USERNAME% MEMBEROF("Local Admins") THEN
> NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
> END IF
>
> ...but... at startup/logon isn't it to late to do this? And at startup
> %username% is = what? SYSTEM?
>
> 3.
> A nother solution might be to block the general GPO that assigns Domain
> Admins in Administrators and then manuallt administer every users computer
> and
> keep some sort of dokumentation. Downside: the user can remove Domain
Admins
> from Administrators and I lose control...
>
>
> Does any of you guys have a better/good solution?
>
> Regards,
>
> .Rikard
>
>

Sorry, but that did not help me much ;-)

..Rikard

"Philip Nunn" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> correct
>
> Philip Nunn
>
> "Rikard N" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi all,
> >
> > In our freshly installed Windows 2003 AD I know I will, for political
> > reasons, be forced to give some of our users Administrator access to
thier
> > Workstations/PCs.
> >
> > If I create a group say "Workstation Local Admins" (WLA) and put it
> together
> > with Domain Admins into the restricted group
> > BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user
I
> > put into WLA will become local administrator on every machine they log
on
> > to, right?
> >
> > There is a problem with this approach I think. Every WLA user will also
> > become administrator on all the other WLA users machines.
> > This might be restricted by assign which machines the user is allowed to
> > logon to.
> >
> > So far I have come up with three ways/paths to try:
> >
> > 1.
> > This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
> > great speach btw) is to create at GPO for every user.
> > This will solve the problem I am addressing but in a rather...messy way
> (as
> > JM also pointed out).
> > The good thing thou is that all users who are Administrators will be
> > documented.
> > A downside is that there might be many GPOs and that the user will be
> local
> > administrator one every machine he/she logs on to.
> >
> > 2.
> > I was also thinking of something like this:
> > Pseudocode:
> > IF %USERNAME% MEMBEROF("Local Admins") THEN
> > NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
> > END IF
> >
> > ...but... at startup/logon isn't it to late to do this? And at startup
> > %username% is = what? SYSTEM?
> >
> > 3.
> > A nother solution might be to block the general GPO that assigns Domain
> > Admins in Administrators and then manuallt administer every users
computer
> > and
> > keep some sort of dokumentation. Downside: the user can remove Domain
> Admins
> > from Administrators and I lose control...
> >
> >
> > Does any of you guys have a better/good solution?
> >
> > Regards,
> >
> > .Rikard
> >
> >
>
>