I am currently in the process of setting up a new SBS 2008 SP2 server and have had a look at the security on there. So I have a couple of questions.
1. From what I gather ALL domain admins are added to the local admin group on connected workstations is that right?
2. If I didn't want to give all domain admins that right I understand that this can be accomplished via GPO and I have come across a couple of methods which I will outline below.
Method a) This can be accomplished through the restricted groups on GPO and if so how can I set this up so that I can only add specific domains admins to the local admin group?
Method b) The second method I have found is through the User configuration | Preferences | Control Panel settings | Local users and groups. Having tried this I can remove the current logged in user and assign certain people to the local admin group.
My question is which method is better and could I get some instructions on the restricted groups via GPO. There is a lot of out there about this method but not specifically for SBS 2008.