Results 1 to 5 of 5
  1. #1
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Win2000pro controling admin privileges

    We are bringing Win2000 pro laptops onto our network. The owners have admin privileges on the local side, but we haven't given them those rights on the global side (obvious reasons). There is a question of whether they can still be able to use their local admin abilities on the global domain due to the fact that the global admin profile is created in the local admin group properties. So we removed the global admin out of the local group. Will that take care of this or is there something else that needs to be considered??

    Thank you! <img src=/S/grin.gif border=0 alt=grin width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

  2. #2
    WS Lounge VIP rory's Avatar
    Join Date
    Dec 2000
    Location
    Burwash, East Sussex, United Kingdom
    Posts
    6,280
    Thanks
    3
    Thanked 191 Times in 177 Posts

    Re: Win2000pro controling admin privileges

    Hi,
    I'm not sure I follow you. Are you saying you've removed the global Domain Admins group from the local Administrators group? Unless they are members of the Global Domain Admins as well, their local admin rights are restricted to their own machines - i.e. they can't add themselves to the global domain admins group, for example. The fact that the global domain admins group is added to the local admins group simply means that your global domain administrators have local admin rights for each machine.
    Or have I missed your point?
    Regards,
    Rory

    Microsoft MVP - Excel

  3. #3
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Win2000pro controling admin privileges

    Cool picture!! Thank you for your reply.

    Yes, we removed the G.Adm from the Local Admin properties. We gave ourselves local Adm rights so that we could log on either domain. I just wanted to be sure that there wasn't another way around the "security".

    The "users" are still in the Local Admin group properties, is that any problem?


    "Peace begins with a smile. "-- Mother Teresa

  4. #4
    WS Lounge VIP rory's Avatar
    Join Date
    Dec 2000
    Location
    Burwash, East Sussex, United Kingdom
    Posts
    6,280
    Thanks
    3
    Thanked 191 Times in 177 Posts

    Re: Win2000pro controling admin privileges

    Thangyewverymudge (as the King would say)
    I'd have left the Global domain admins group as a member of the local admins group - that way any domain admin can administer the local machine. The users' local admin rights should not affect their global admin rights (i.e. none) at all. (I'm assuming you didn't mean the Users group was a member of the local admins group? <img src=/S/evilgrin.gif border=0 alt=evilgrin width=15 height=15>)
    Regards,
    Rory

    Microsoft MVP - Excel

  5. #5
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Win2000pro controling admin privileges

    Yep, that was my concern although I don't think it is a problem. The area that I am looking is local groups/admin/properties and the entries in there. Users is listed as one of those entries along with our three local admin people....the owner of the laptop and our big department of two!! Our global domain is a small one - 250 users in a school setting - so removing the global adm priv should not be a problem for us. And I don't think any of our users would be malicious but maybe inadvertanly might stumble into territories that they shouldn't be in.

    I do have another question about Win2000 re virtual directories but perhaps I should post it as a separate issue.

    Thanks again for any insite to my original question!! <img src=/S/thumbup.gif border=0 alt=thumbup width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •