jjanczuk
asked on
Local Admin rights to a Domain User
I need to grant Local Administrator permission to a Domain User.
I've a W2000 server with Active Directory, acting as PDC, and a W2000 server stand alone, included into the domain.
I need that a domain user (DOMAIN/jdoe) get admin permissions to administer just the stand alone W2000 server.
Thanks in advance.
I've a W2000 server with Active Directory, acting as PDC, and a W2000 server stand alone, included into the domain.
I need that a domain user (DOMAIN/jdoe) get admin permissions to administer just the stand alone W2000 server.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't add DomainUserGroups to the LocalAdminGroup.
It's a great security-risk, because it gives Your DomainUsers access to all the other workstation using \\computername\c$
And it's both when, and even after You remove him from the DomainGroup:
Making a DomainUser member in 2 hours in one of Your "empty" DomainGroups in LocalAdminGroup, because it's nescessary, makes it possible for that DomainUser to add his own LocalUser member of the DomainAdminsGroup on every W2k-client on Your LAN.
When You removes the DomainUser from the "empty" DomainGroup, he can still use
\\ComputerName\C$ on every W2k-klient on Your LAN.
Many Regards
Jorgen Malmgren
IT-supervisor
Denmark
It's a great security-risk, because it gives Your DomainUsers access to all the other workstation using \\computername\c$
And it's both when, and even after You remove him from the DomainGroup:
Making a DomainUser member in 2 hours in one of Your "empty" DomainGroups in LocalAdminGroup, because it's nescessary, makes it possible for that DomainUser to add his own LocalUser member of the DomainAdminsGroup on every W2k-client on Your LAN.
When You removes the DomainUser from the "empty" DomainGroup, he can still use
\\ComputerName\C$ on every W2k-klient on Your LAN.
Many Regards
Jorgen Malmgren
IT-supervisor
Denmark
Connect on the stand alone server as Administrator local and modify the Administrators group on that machine by adding DOMAIN/jdoe to this group.
You do this from right click My Computer, select Manage, select Local Users and Groups, and add the user's Domain Account (DOMAIN/jdoe ) to the local administrators group.
Mishou