administrator access without adding to administrators group

[mcp]

I have created a domain account that I want it to be a local adminitrator on
all servers in the domain. I want to do this without adding the user to the
local administrators group. Is that possible? Is this something that could
be done from the local security policy?

 

[Roger Abell [MVP]]

I have created a domain account that I want it to be a local adminitrator
on all servers in the domain. I want to do this without adding the user to
the local administrators group. Is that possible? Is this something that
could be done from the local security policy?

Let me get this right.
You want, for each server, a domain account to be an administrator
without being in each server's Administrators group ?
So you want the account to be something (admin), without meeting
the essential, minimum necessary and sufficient requirement for it
to be that something (i.e. member in Administrators group) ?
That would be sort of like us all being billionaires without having
to have a billion, right?

 

[Michael Bednarek]

I have created a domain account that I want it to be a local adminitrator on
all servers in the domain. I want to do this without adding the user to the
local administrators group. Is that possible? Is this something that could
be done from the local security policy?

I suspect that generous use of NTRIGHTS might achieve what you have in
mind.

 

[Roger Abell [MVP]]

I suspect that generous use of NTRIGHTS might achieve what you have in
mind.

That could certainly cover part of it, not all.

For example, filesystem permissions, registry permissions,
com/dcom component permissions, per-service permissions,
service manager permissions, etc..

Roger

 

[Michael Bednarek]

Michael Bednarek wrote in message news:[email protected]...

That could certainly cover part of it, not all.

For example, filesystem permissions, registry permissions,
com/dcom component permissions, per-service permissions,
service manager permissions, etc..

I think these can be covered with other command line and/or GUI tools or
WMI/VBS scripts. Still, it seems a perfectly pointless exercise, except
for nefarious purposes.

 

[Roger Abell [MVP]]

I think these can be covered with other command line and/or GUI tools or
WMI/VBS scripts. Still, it seems a perfectly pointless exercise, except
for nefarious purposes.

It is an odd exercise, to take the long road when there is
a pre-planned short cut. Yes, there are many way to give
permissions to secured objects, but it would have to be
done as user rights would not themselves allow any of
those accesses. Between the two however, after many
hours of effort finding all that needs to be touched, one
would come close (but likely still not be there - admin
shares for example).

Roger