yeh thats what I thought. I think they are wanting to make sure that if someone had the admin account they couldn't set themselves up with full domain admin rights, without having the account in the domain admin and local admin groups.
Its a security check thing, i think they are preparing to remove someone or someone is leaving who had domain admin rights on a second admin account and want to be sure they haven't set anything else up. Ill check the GPO's Graeme On 10 June 2010 14:52, James Rankin <kz2...@googlemail.com> wrote: > or do you mean have admin rights without belonging to the local > administrators group? You could easily give them all permissions and user > rights normally restricted to Administrators, but that would kind of defeat > the entire object of having the administrators group in the first place. > > > On 10 June 2010 14:47, Graeme Carstairs <loonyto...@gmail.com> wrote: > >> I have been asked by a customer if on their 2003 AD domain it is possible >> for someone to have admin rights to the servers and not be a member of >> domain admins. >> >> and local admin groups on member servers. >> >> Any one know if it can be done >> >> Graeme >> >> >> -- >> Good news everyone, you have just received and e-mail from me! >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > -- Good news everyone, you have just received and e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
