[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Local Computer / Domain Permissions for administrator user account

Posted on 2005-04-14
8
Medium Priority
?
2,145 Views
Last Modified: 2012-06-27
Here is the deal... All of our computers have 'administrator' as the local admin account. We also have a domain account 'administrator' that is under domain admins group. We have the same password set for both, so its universal. We need to clamp down on security and tracking, so here is what we need to do.

I would like to rename the local admin account, for sample purposes lets call it 'god'. I have already done this on some computers without any trouble. This account is for local login and for doing local machine work. I would like to have this account with domain privilidges so it can mount drives/printers, so I made an account 'god' on the domain. But...now since I have the god account on the domain, I can log in anywhere domain\god. I do not want this, I just want the permissions to access drives/printers/resources...but it cannot log in.

local\god - local computer login, **access to network resources**
domain\god - 8*CANNOT login**, ...but I may need this account for network resources, idk.

How can I do this?
0
Comment
Question by:atkfrg56
  • 5
  • 2
8 Comments
 
LVL 9

Assisted Solution

by:cyberdevil67
cyberdevil67 earned 300 total points
ID: 13781521
Hi atkfrg56,


 why not setup accounts from local computer user accounts, then add these to a a group of your choice, and assign this group the necessary privelages. and not administrator, but add what you need this group to do in their permissions status?

Cheers!
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13781821
cyberdevil67 ,

lets see if I understand this right.

[new group] "local\special admins"
[member of "local\special admins"] "local\god"

[built-in group] "domain\domain admins"
[member of "domain\domain admins"] "local\special admins"

so that the "local\god account" is part of "local\special admins" which is part of "domain\domain admins" which has all the powers. Do I have the right idea here?

0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13781838
cyberdevil67 ,
err, i dont think that works with multiple computers...i think i messed up. Maybe...

"local\god" in group "domain\domain admins"

thats simple and may work
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Assisted Solution

by:cyberdevil67
cyberdevil67 earned 300 total points
ID: 13781914
on the domain controller create a grou-p that does what you want, and doesn't have access to what you don't want them access too.

Then have every computer who loggs into that domain apart of that group. But for that to work each computer will need to be apart of that domain.

so

  domain\special group has access to the drives  & printers it needs too.

 then user\user1 becomes apart of domain\special group, then you lock it down further by slectinf dirs and devices that only that group can access..
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13783341
cyberdevil67 ,
I tried that method, but it doesnt work / not what I am trying to do (to my knowledge).


local\administrator and domain\administrator users need to have all their powers combined into local\administrator so that I can eliminate the domain\administrator account and so that the domain\administrator cannot log in. The real administrators will have their own accounts and be part of the 'domain admins' group. Then the only reason to use the local\administrator account will be for building computer images. In no way do i want users to log in locally, there is only 1 local account and its the local\administrator which is only used to build images. Troubleshooting, permissions, and whatever network functions that need busted out will be used by the admin people who are members of domain\ domain admins.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1200 total points
ID: 13789388
You're looking at it the wrong way... there are two types of directives in Group Policy -- COMPUTER and USER.  What you are trying to do is set a COMPUTER policy... your client computers already have names and that is how you grant them permissions (separate from the USER on the computer).  There is also a third type of object in Group Policy... GROUPS.  Either a COMPUTER or a USER can be a member of a GROUP.

There is no need to devise a new methodology for this.  PLUS, you can't make a LOCAL profile have DOMAIN priveleges (via Group Policy Objects)... it's just local... and a domain directive will always override it.

GPOs are processed in the following order:

The local GPO is applied.
GPOs linked to sites are applied.
GPOs linked to domains are applied.
GPOs linked to OUs are applied -- in order of OU heirarchy.

Here's the lowdown on Computers, Users & Groups:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/adusers.mspx

And on how the policies are applied:
http://go.microsoft.com/fwlink/?linkid=18671

Jeff @
TechSoEasy
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13809331
TechSoEasy,
So what I am trying to do cannot be done in my way, correct?
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 14840407
I see that my method cannot be done, and because of this I do not have the power needed to complete my task. I chose the next closest way to do it, although its not going to complete my project.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question