admin abilities

Networks

Collapse -

by kevin203 · 14 years ago In reply to admin abilities

Hi,

There is three ways of doing that.

First is prevent them from accessing the server from sharing security.

Second is to delete systems admin group from all group that related to them.

Third is add them to domain user group instead of Administrator cause domain user group also can be a user computer administrator.

hope it will help.

Collapse -

by papula · 14 years ago In reply to

i guess im not understanding any of that answer:
1st do you mean prevent them from physical access??- i cant do that, but that wouldnt matter anyway because they could remote in. OR you may have meant prevent them from accessing shares- i can do that, but they could still access dsa.msc, which is what i dont want.
2nd- i dont know what systems admin group is.
3rd- a domain user cannot administrate domain computers.

Collapse -

by kevin203 · 14 years ago In reply to admin abilities

Ok...

Domain user also can administrate domain computer if you assign them as the particular domain computer admin right.

You can also turn off the remote access or you can assign some user only to have right to remote.

And last, only server administrator can have full permission on server and not domain admin.

hope this will help.

Collapse -

by ManISKid · 14 years ago In reply to admin abilities

You can explicitly deny logging onto the domain controller through the group policy.

computer configuration -- windows settings -- security settings -- local settings -- user rights assignment -- 'deny log on locally' and/or 'deny logging on through terminal services'. This is already defined in the default domain controllers group policy

However, I think that the best thing to do is to
simply create a new group and assign this group administrative rights but without the ability to administrate the server.

You may want to consider creating differnet groups and using the runas command to allow the administrators the ability to log on as 'account adminstrators' etc

Collapse -

by papula · 14 years ago In reply to

man in kid-

when you specify that in group policy, that is denying access to the local comptuer only right? thats for the DC only- how do i specify for other servers?

also- how do you assign admin rights but not to servers?

also -please expand on runas command.

thanks

Collapse -

by edwerg · 14 years ago In reply to admin abilities

It sounds like the easiest procedure for you to follow would be to: create a new user group (global) for your techs , add the techs to the group. Go to each of the client pc's and add the new user group you just created to the local administrator group. This way once the group is added to the local pc's admin group you can add or delete the techs who you want to admin the local pc's. Hope this helps

Collapse -

by honu95 · 14 years ago In reply to admin abilities

Run As Command: allows a user to run specific tools and programs w/ different permissions than the user's current logon provides.

-hold down shift + rt.click and select "run as"
-using the cmd prompt, type "runas /user:domain_name\username program_name"

you can also setup shortcuts by creating a shortcut of the item ie. mmc or perfmon, and type the CL Run As command (seen above) where you would type the location of the item when creating the shortcut.

good luck

Networks

General discussion

admin abilities

All Comments

Start or search

Create a new discussion

Post type

Subject title

Topic Tags

Message Body

Track this discussion and email me when there are updates

Related Discussions

Linksys Velop: A simple solution for spotty Wi-Fi

Global VPN solution (Corporate)

How to restore VHD file data ?

Small business server

Networking - using a switch

Related Forums