R
Rikard N
Hi all,
In our freshly installed Windows 2003 AD I know I will, for political
reasons, be forced to give some of our users Administrator access to thier
Workstations/PCs.
If I create a group say "Workstation Local Admins" (WLA) and put it together
with Domain Admins into the restricted group
BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
put into WLA will become local administrator on every machine they log on
to, right?
There is a problem with this approach I think. Every WLA user will also
become administrator on all the other WLA users machines.
This might be restricted by assign which machines the user is allowed to
logon to.
So far I have come up with three ways/paths to try:
1.
This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
great speach btw) is to create at GPO for every user.
This will solve the problem I am addressing but in a rather...messy way (as
JM also pointed out).
The good thing thou is that all users who are Administrators will be
documented.
A downside is that there might be many GPOs and that the user will be local
administrator one every machine he/she logs on to.
2.
I was also thinking of something like this:
Pseudocode:
IF %USERNAME% MEMBEROF("Local Admins") THEN
NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
END IF
....but... at startup/logon isn't it to late to do this? And at startup
%username% is = what? SYSTEM?
3.
A nother solution might be to block the general GPO that assigns Domain
Admins in Administrators and then manuallt administer every users computer
and
keep some sort of dokumentation. Downside: the user can remove Domain Admins
from Administrators and I lose control...
Does any of you guys have a better/good solution?
Regards,
..Rikard
In our freshly installed Windows 2003 AD I know I will, for political
reasons, be forced to give some of our users Administrator access to thier
Workstations/PCs.
If I create a group say "Workstation Local Admins" (WLA) and put it together
with Domain Admins into the restricted group
BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
put into WLA will become local administrator on every machine they log on
to, right?
There is a problem with this approach I think. Every WLA user will also
become administrator on all the other WLA users machines.
This might be restricted by assign which machines the user is allowed to
logon to.
So far I have come up with three ways/paths to try:
1.
This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
great speach btw) is to create at GPO for every user.
This will solve the problem I am addressing but in a rather...messy way (as
JM also pointed out).
The good thing thou is that all users who are Administrators will be
documented.
A downside is that there might be many GPOs and that the user will be local
administrator one every machine he/she logs on to.
2.
I was also thinking of something like this:
Pseudocode:
IF %USERNAME% MEMBEROF("Local Admins") THEN
NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
END IF
....but... at startup/logon isn't it to late to do this? And at startup
%username% is = what? SYSTEM?
3.
A nother solution might be to block the general GPO that assigns Domain
Admins in Administrators and then manuallt administer every users computer
and
keep some sort of dokumentation. Downside: the user can remove Domain Admins
from Administrators and I lose control...
Does any of you guys have a better/good solution?
Regards,
..Rikard