Win2k User Management

[Abhishek]

Hi,
In a network with a domain and workstations under that domain, can a
domain administrator access any remote machine without being a part of the
administrators group on the remote machine(local). If yes, then how come the
domain administrators credentials be verified on the remote machine if the
domain admin is not part of the local administrators group.
Thanks,
Abhishek.

 

[Keith W. McCammon]

In a network with a domain and workstations under that domain, can a

domain administrator access any remote machine without being a part of the
administrators group on the remote machine(local). If yes, then how come the
domain administrators credentials be verified on the remote machine if the
domain admin is not part of the local administrators group.

If a given user does not have local administrative privileges on a given
system, that user cannot manage that system. By default, when computers are
added to a domain, the domain administrators group is added to the local
administrators group on that system, which is how management is facilitated.

 

[Wajihy [MSFT]]

yes because once a mchine joines a domain the domain admin group is
automaticlaly added to the local admin group
so the answer is yes, unless on the local machine you go and delete the
domain admin group from your local admin group ( you will need admin
privleges on the machine to do this)

 

[Joe Richards [MVP]]

Being a domain admin imparts no special powers over workstations. If the workstation owner has removed domain admins
from the local administrators group, the domain admins have no direct rights over the workstation, they could if they
wanted however gain control over the workstation via a group policy in the active directory and then get access.