Group your servers into GPOs such as Citrix Servers, Exchange Servers, etc. , create a group called Citrix Server Admins or whatever, and use Restricted Groups to add that group to local Administrators for the servers in that OU. Users are then added to the relevant server admin group and inherit admin rights to the group of servers.
2009/3/23 Eisenberg, Wayne <wayne.eisenb...@pbvllc.com> > I'm curious - how do you do that with GPOs? > > Wayne > > ------------------------------ > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Monday, March 23, 2009 11:57 AM > *To:* NT System Admin Issues > *Subject:* Re: How many domain admins do you have? > > Only those who require Domain Administrator rights get them (those who work > extensively on AD). Everyone else has their server admin rights limited via > GPO to subsets of machines. We have custom groups for Exchange Server > Admins, Citrix Admins, VirtualCenter admins, SQL admins, WebSense admins - > on and on it goes. > > Even the high-level guys have an ordinary account for normal work and an > elevated admin account to be used when needed. I would guess that most > Domain Admin access in our AD is held by service accounts, rather sadly, > although these accounts can not log on interactively, so their use is > limited that way. > > 2009/3/23 David Lum <david....@nwea.org> > >> General poll: How many Systems Engineers do you guys have and how many >> of them are domain administrators? If you don’t want to divulge specifics >> then percentages would work. For us we’re at about 13 DA’s / 13 SE’s, >> although I think we should be closer to say, 4/13. >> >> >> >> Comments? >> >> *David Lum** **// *SYSTEMS ENGINEER >> NORTHWEST EVALUATION ASSOCIATION >> (Desk) 971.222.1025 *// *(Cell) 503.267.9764 >> >> >> >> >> >> >> >> > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
