Local Logon To Domain Controller

S

Stuart Brown

Hi,

I have a Domain running in one of my schools and I want
to "prevent" network users from being able to logon to the
Server (Domain Controller) machine itself.

I want it so that only the "Domain Administrator" account
can logon to the server as only me and my colleagues have
this password.

Any ideas on how to do this would be greatly appreciated.

Thanks very much
 
H

Herb Martin

Stuart Brown said:
Hi,

I have a Domain running in one of my schools and I want
to "prevent" network users from being able to logon to the
Server (Domain Controller) machine itself.
Click to expand...

The default already takes care of that -- on the "powerful" groups,
like Admins, Backup, Account, Server and Print operators have the
logon locally on DCs.
I want it so that only the "Domain Administrator" account
can logon to the server as only me and my colleagues have
this password.
Click to expand...

You could take it away from the other "powerful" groups but
that is seldom necessary.
Any ideas on how to do this would be greatly appreciated.
Click to expand...

It's done -- wasn't that quick? <grin>
 
G

Guest

-----Original Message-----


The default already takes care of that -- on the "powerful" groups,
like Admins, Backup, Account, Server and Print operators have the
logon locally on DCs.


You could take it away from the other "powerful" groups but
that is seldom necessary.
appreciated.

It's done -- wasn't that quick? <grin>

--
Herb Martin


.
Not quite as simple as that. I have guys in place who
Click to expand...
need admin rights on the client pc's, but I don't want
them to be able to logon to the server. These guys are
members of the "powerful groups though" and need to be.
 
L

Lanwench [MVP - Exchange]

need admin rights on the client pc's, but I don't want
them to be able to logon to the server. These guys are
members of the "powerful groups though" and need to be.
Click to expand...

Create a "LocalAdministrator" group in AD. Add it to all the local
workstation Administrators groups. Add the appropriate parties to the
"LocalAdministrator" group, and make sure they don't have any domain admin
rights, etc etc etc. Voila - local admin rights, no monkeying around
elsewhere.
 
C

Chriss3

Stuart please tell us more about your needs, so we can provide the best
solution. That dose this administrators out to PCs have to do? and that kind
of rights are required?

(With out know much about your environment)

The follow solution may can be of use for you. You may create a group called
PC Admins or what ever you want. And assign this PC Admins group as local
administrators for the computers. This can be done within a Group Policy by
take use of the Restricted Groups at the follow location:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

If you have to delegate control of objects in an Active Directory to threes
PC Admins I'm strongly recommend you to use Delegation of Control Wizard:

Step-by-Step Guide to Using the Delegation of Control Wizard:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp

Please feel free to post :) Have nice day!
 
H

Herb Martin

Not quite as simple as that. I have guys in place who
need admin rights on the client pc's, but I don't want
them to be able to logon to the server. These guys are
members of the "powerful groups though" and need to be.
Click to expand...

Then they are DOMAIN admins -- the question was for users.

You can certainly make those people MACHINE admins without
making them domain admins, but once you CHOOSE to give them
admistrative priveleges on the domain they have the same power as
you.
 
H

Herb Martin

Create a "LocalAdministrator" group in AD. Add it to all the local
workstation Administrators groups. Add the appropriate parties to the
"LocalAdministrator" group, and make sure they don't have any domain admin
rights, etc etc etc. Voila - local admin rights, no monkeying around
elsewhere.
Click to expand...

I would suggest calling it "MachineAdmins" or "ServerAdmins" or eve
GlobalAdmins
since the word local as a specific technical meaning in relation to groups
that is
NOT necessary 'machine specific.'

All local groups are not machine specific groups.
All machine specific groups are local groups.

Local groups from the domain cannot be placed inside of other local groups
(in mixed mode or local groups on a machine.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN server without domain controller 0
Restrict users to logon on the particular computer 6
Domain Controller 1
Crashed Controller, Recreated, Logon Problems 3
ADUC MMC and connecting to Domain Controller 4
demote a domain controller 3
Backup domain controllers? 7
Changing Logon Domain Controller 4

Top