How to disable domain administrator get local administrators group ?

J

john

In a big network, have several network administrators.

In the network, some computers have security data(e.g. personnel,
account deaprtment), the security data store in local computer. These
computers join to domain.

I can set disable group policy for these computers. But network
administrator can logon domain administrator via these computers and
can access all local files.

How to disable domain administrator get local administrators group ?

Thanks.
 
M

Miha Pihler

I am not sure I would opt for this solution. I see quite a few problems that
can come from this...
Personally I would look into deploying domain wide EFS and change Recovery
Agent to someone that can be trusted in domain.

In Win2K Resource kit there is a tool called Cusrmgr.exe. You can include
this in logon script to remove all Domain Admins from PC. E.g. Put all PCs
that you want without Domain Admins in one OU and create GP with Cusrmgr.exe
in logon script ...

http://www.tburke.net/info/reskittools/topics/cusrmgr_syntax.htm

I hope it helps you out...
 
E

Eric Chamberlain

You can't keep them off the machine if they really want on. What you can do
is remove the Domain Admins from the local Administrators group and enable
auditing on the Administrators membership and on the files in question.

Then assuming they don't destroy the audit logs, you have a record of their
activity. Or you could use something like Microsoft Audit Collection System
(MACS) to export the logs in real time to a machine not under their control.

What most companies do, is hire administrators that understand that
unauthorized access is grounds for dismissal.

Another item to consider is that user workstations are not the best place to
store sensitive files. The files should be stored on a file server that is
backed up and properly secured.
 
J

john

In the real world, companies hire securities, but they keep important
infomation in strongbox.

I am not a expert in network security. I just need the simple function
as above to prtect my important information.

How do I setup for Windows 2000 ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Power Users Group 3
administrator access without adding to administrators group 5
Administrator not allowed to change local security settings 2
Domain User can't login unless it has local Administrators right 0
Domain users = local administrator 1
problem with logon on a windows 2000 or XP client machine 3
can not add myself into the local admin group. But am the Domain A 1
"enterprise admins" member of local domain administrators ?! 2

Top