No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • planning

    i'm still in the planning stages

    i will end up with one domain - multiple sites
    each site will have a server

    file wise thats ok - screw it down with the permissions
    but some people will be in the administrators group for the domain
    how can i make sure that they are only able to do anything on their own loacl server

    is it just a case of assigning a gpo to that server and only allowing local locallyt to the server for a created group and excluding administrators
    or is there a better way


  • #2
    If you want to lock these people down to only the local server where they are, why are you putting them in the domain admins group? If they need to be able to reset passwords and such use ad delegation.


    • #3
      they would only be in administrators group not domain admins
      it's not for accounts - it purely politics

      it's in there security policy that one person is an administrator so that they can install updates onto the server
      (i know the policy is wrong - it was written by an idiot and read by idiots)

      i just need to provide it but make sure they can only logon to that server with admin rights on that server


      • #4
        I od not see a problem here. What's wrong with putting their domain accounts in the server's local Administrators group ? This makes admins server-wide and not domain-wide.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"