administrator access without adding to administrators group

  • Thread starter Thread starter mcp
  • Start date Start date
M

mcp

I have created a domain account that I want it to be a local adminitrator on
all servers in the domain. I want to do this without adding the user to the
local administrators group. Is that possible? Is this something that could
be done from the local security policy?
 
mcp said:
I have created a domain account that I want it to be a local adminitrator
on all servers in the domain. I want to do this without adding the user to
the local administrators group. Is that possible? Is this something that
could be done from the local security policy?
Click to expand...

Let me get this right.
You want, for each server, a domain account to be an administrator
without being in each server's Administrators group ?
So you want the account to be something (admin), without meeting
the essential, minimum necessary and sufficient requirement for it
to be that something (i.e. member in Administrators group) ?
That would be sort of like us all being billionaires without having
to have a billion, right?
 
I have created a domain account that I want it to be a local adminitrator on
all servers in the domain. I want to do this without adding the user to the
local administrators group. Is that possible? Is this something that could
be done from the local security policy?
Click to expand...

I suspect that generous use of NTRIGHTS might achieve what you have in
mind.
 
Michael Bednarek said:
I suspect that generous use of NTRIGHTS might achieve what you have in
mind.
Click to expand...

That could certainly cover part of it, not all.

For example, filesystem permissions, registry permissions,
com/dcom component permissions, per-service permissions,
service manager permissions, etc..

Roger
 
Michael Bednarek wrote in message news:[email protected]...

That could certainly cover part of it, not all.

For example, filesystem permissions, registry permissions,
com/dcom component permissions, per-service permissions,
service manager permissions, etc..
Click to expand...

I think these can be covered with other command line and/or GUI tools or
WMI/VBS scripts. Still, it seems a perfectly pointless exercise, except
for nefarious purposes.
 
Michael Bednarek said:
I think these can be covered with other command line and/or GUI tools or
WMI/VBS scripts. Still, it seems a perfectly pointless exercise, except
for nefarious purposes.
Click to expand...

It is an odd exercise, to take the long road when there is
a pre-planned short cut. Yes, there are many way to give
permissions to secured objects, but it would have to be
done as user rights would not themselves allow any of
those accesses. Between the two however, after many
hours of effort finding all that needs to be touched, one
would come close (but likely still not be there - admin
shares for example).

Roger
 
Back
Top