Announcement

Collapse
No announcement yet.

Domain admin with very limited priviledges

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain admin with very limited priviledges

    here is the scoop we do IT outsourcing for a company who has an on site "IT" guy (let me preface this by saying I am a cisco/network hardware guy not MS) what I would like to do is give him complete access to the network except.....I do not want him to log on to any servers. Is there any easy way to accomplish this IE: give him domain admin rights but just not to the servers?

  • #2
    Re: Domain admin with very limited priviledges

    You could use the following GPO setting:

    Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Deny Log on Locally
    and add their Username or Security Group in there.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Domain admin with very limited priviledges

      If he is a domain admin then he can change whatever he wants including any restrictions you put on him regarding logon.

      I wouldn't bother going this route ata ll. I would find out what you actually specifically need him to do and then grant rights to those things instead.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Domain admin with very limited priviledges

        Yes Thank you both I guess all I really need him to do is have rdp access to any pc (excluding servers) also be able to join pcs to domain, and have local admin on all workstation. Now if I use gpedit to dissallow access that only effects the individual servers right?

        Comment


        • #5
          Re: Domain admin with very limited priviledges

          I would use the delegate of control wizard and uses restricted groups to make him local admin on the workstations.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Domain admin with very limited priviledges

            You can, as Dumber states, use the delegation wizard to allow workstation addition and then use a GPO and restricted groups to allow local admin access on the machines you want.
            That would be a much cleaner method.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Domain admin with very limited priviledges

              Originally posted by AndyJG247 View Post
              If he is a domain admin then he can change whatever he wants including any restrictions you put on him regarding logon.
              Not exactly if the security permissions are changed on the GPO and the Domain admins are only Granted Read permission and the policy is being enforced.

              I suppose it all depends on the structure of your ORG.
              If you have a Centralised management structure, then I would have thought the GPO thing should work.
              If however, you have a Distributed one then the Admin Delegation wizard should do the trick.
              ..But always give users the only rights and permissions to enable them to carry out their jobs as best practice.
              Last edited by L4ndy; 30th March 2009, 15:33.
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Domain admin with very limited priviledges

                Sorry InfiniteT if this is going a little off topic.

                L4ndy, just tried and, assuming I have this correct, you may be able to delete it from sysvol, or disable it even if you have read? Not played around a lot with ith but I'm sure you can work around it.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Domain admin with very limited priviledges

                  Wow.......thanks for all the info I will look into these options next time I am out there.

                  Comment

                  Working...
                  X