First - do not use Restricted Group on your servers without understanding it. You'll most likely strip out every service account in one quick step and break your entire business!! Second - yes, you can just create a domain group and have that added to local Administrators groups on every server via GPO (could be a script, could be Restricted Groups ... latter a better option, but see earlier warning!). However, if you're looking at a user and they're not a Domain Admin but you're worried they could possibly have admin on servers or on AD services, you're out of luck. There are a million sneaky ways they could have added themselves or a sneaky group to various ACLs on servers, in AD, in all sorts of devious places. If you're hugely concerned and they need to still have access for some time, create a new account with no privs and have them use that once you've disabled the other account. It's the only way. However .. if they know service account passwords, etc., then they can get access back that way too ... a
________________________________ From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: 10 June 2010 14:57 To: NT System Admin Issues Subject: Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members. yeh thats what I thought. I think they are wanting to make sure that if someone had the admin account they couldn't set themselves up with full domain admin rights, without having the account in the domain admin and local admin groups. Its a security check thing, i think they are preparing to remove someone or someone is leaving who had domain admin rights on a second admin account and want to be sure they haven't set anything else up. Ill check the GPO's Graeme On 10 June 2010 14:52, James Rankin <kz2...@googlemail.com> wrote: or do you mean have admin rights without belonging to the local administrators group? You could easily give them all permissions and user rights normally restricted to Administrators, but that would kind of defeat the entire object of having the administrators group in the first place. On 10 June 2010 14:47, Graeme Carstairs <loonyto...@gmail.com> wrote: I have been asked by a customer if on their 2003 AD domain it is possible for someone to have admin rights to the servers and not be a member of domain admins. and local admin groups on member servers. Any one know if it can be done Graeme -- Good news everyone, you have just received and e-mail from me! -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- Good news everyone, you have just received and e-mail from me! ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
