If this is what you do then you can also in the ADUC restrict them to the machines they need to access and allow access to the any servers as well but restrict login rights on the servers.
Jon On Wed, Dec 3, 2008 at 10:22 AM, James Rankin <[EMAIL PROTECTED]> wrote: > I don't work in finance or education, and I've worked in many places where > the mantra is the same - security is for your own protection. > > But anyway we're getting into a different area here....if your local admin > groups are so disparate and not managed via a central mechanism, it looks > like you are in for a lot of manual work of one flavour or the other. > Personally I'd flush the old SIDs out with Restricted Groups and add a group > called Domain Workstation Admins (that contains all your users who "need" > local admin access) to local Administrators via the Restricted Groups. I'd > then apply this to your Workstations OU, and keep the servers separate. You > may give some of your PITA users admin access to other workstations, but at > least everything is then centrally managed. > > > 2008/12/3 Liu, David (G2DD) <[EMAIL PROTECTED]> > >> Financial svces and edus wd be easy to implement total lock down but in >> marketing where egos are bigger than concerns for security IT will have to >> bend. >> >> David Liu >> Answering from my blackberry. I'm on the move >> >> -----Original Message----- >> From: Jon Harris <[EMAIL PROTECTED]> >> To: NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com> >> Sent: Wed Dec 03 09:37:21 2008 >> Subject: Re: removal of security GUID from deleted accounts >> >> AND there is a problem with that? I don't see one but then the only local >> admins left my environment is a Mac user and a Laboratory Manager who will >> not give them up. The Laboratory Manager may be losing access to the office >> subnet and mapped drives soon if his machine does not come into compliance >> with the rest of the office. >> >> Jon >> >> >> On Wed, Dec 3, 2008 at 9:30 AM, Liu, David (G2DD) <[EMAIL PROTECTED]> wrote: >> >> >> Probably but that wd effectively wipe out any local admins that >> were explicitly added , eg execs >> David Liu >> Answering from my blackberry. I'm on the move >> >> >> -----Original Message----- >> From: James Rankin <[EMAIL PROTECTED]> >> To: NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com >> > >> Sent: Wed Dec 03 03:27:51 2008 >> Subject: Re: removal of security GUID from deleted accounts >> >> If you use a Restricted Groups GPO, does this remove the SID? It >> certainly will remove all groups that it thinks shouldn't be there... >> >> >> 2008/12/3 Liu, David (G2DD) <[EMAIL PROTECTED]> >> >> >> We had to delete/recreate the security group in AD 2003 >> environment >> which is used to populate local administrator membership >> on PC >> workstations. However, as a result of the deletion the >> security group >> now shows up with the deleted Security ID instead of a >> recognizable >> name. >> >> We tried to set the startup script to delete the old name, >> e.g. net >> localgroup /delete but it doesn't work because only the >> phantom SID >> exists. Inputing the string of SID in script doesn't work >> either. >> >> Any idea on how to remove this SID via script? >> >> TIA! >> >> >> ~ Finally, powerful endpoint security that ISN'T a >> resource hog! ~ >> ~ < >> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
