Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: wouldn't it be nice....

  1. 11-04-2005, 08:43 AM #11
    pborkstrom
    pborkstrom is offline Getting Started on GPanswers.com
    Join Date
    Dec 1969
    Posts
    8

    Default

    Total control over the workstations seemed to be the trickiest thing to me. I was able to delegate user account creation using the wizard in the AD LUsers and Computers snap-in.

    The thing that makes it particularly hard to implement restricted groups is that the users have been local administrators over their computers for the last few years. This all started before I was brought in to my current job as a contractor to help teach the current staff AD management. When I came in, there was a migration from Netware to AD planned within a week. Seeing that machines weren't managed from a domain perspective, each user had a local account on their computers (in the local administrators group). The migration occured over a weekend, so not much time was given to test the running of production apps and such without local admin priviledges.

    So, ultimately, I'd like to have a group for account management, email box creation, member server management, and local workstation management. I've created a group for the server and deskop management, delgetaded user account creation to another group, and assigned that group to the exchange view admins group.

    Now the problem I'm facing is how to remove the users from the local admin group. As of now, they are all specifically added to their own machine as a local admin, but I'd like to get them to a place where they weren't local admins. Any suggestions on how to go about that? I know how to remove them all (with the restricted users group), but would like any advice on how to begin to remove local admin priviledges from users.
    Reply With Quote Reply With Quote
  2. 11-05-2005, 04:44 AM #12
    AdamV
    AdamV is offline 100+ Helpful Posts! 50+ Helpful Posts
    Join Date
    Dec 1969
    Posts
    669

    Default

    Quote Originally Posted by pborkstrom
    I'd like to get them to a place where they weren't local admins. Any suggestions on how to go about that? I know how to remove them all (with the restricted users group), but would like any advice on how to begin to remove local admin priviledges from users.
    Not sure I understand the dilemma. You can use restricted groups to get them to a place where they are not local admins, and at the same time add domain groups who do need to be able to admin machines.

    Since we are talking about the local admins group, you can roll this out gradually (if that is what you are getting at) by creating an OU with this policy linked to it and moving machines there as required, then once they are all moved remove the old machines OU and rename the new one to whatever you want.
    Reply With Quote Reply With Quote
Page 2 of 2 FirstFirst 12
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Search Engine Friendly URLs by vBSEO