[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

How to make the user group "Install Team" ONLY local admin on a new pc by default

we have an install team that prepares all new pc's.
they are NOT domain admins, but need to be able to add local admins on the computer they're installing.

so how can i make sure that the 'install team' is by default local admin on a pc in a certain OU?
can this be done by gpo?


thx!!

serge
0
MorSe
Asked:
MorSe
  • 2
1 Solution
 
trywaredkCommented:
You can only do it without any risk, if you want them to be member of the local admin group on EVERY workstation on your domain.

If they install with CD, they are typing the local administrators password. Doing that, they can do what they like on the workstation.

If you use unattended install GLOBAL domain admin group is by default member of the LOCAL admin group.

That not what you want them to be, but there's no way out of it.

Please be carefull with members of the LOCAL admin group:


:o) PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
MSGeekCommented:
Jorgen, how many times have you pasted that post on this site?  :)  I hope your parachute did not open before you jumped out of the plane. :)
0
 
CleanupPingCommented:
MorSe:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
trywaredkCommented:
:o) Glad I could help you - thank you for the points
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now