Administrator permission

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does anybody out there know if theirs any way to prevent users with administrative rights on there local machines from adding users off of the network to their local machines and changing their rights such as power user, restricted or administrator. I don't want them to be able to see group that I configured or other user accounts. I thought from reading the microsoft books and studing alot that the administrative account on the local machine didn't have admin rights on the domain or am I crazy.
 
This is impossible. What you're asking for is an administrator account that
doesn't have full admin rights to the box. That, by definition, is
impossible.

You've given a user administrative rights to the local machine and the end
result is that the user can administer the local machine. Being the
administrator of a machine means that you can decide who else is an
administrator of that machine.

The solution is to not give admin rights to those you do not trust.

Oli


James said:
Does anybody out there know if theirs any way to prevent users with
Click to expand...
administrative rights on there local machines from adding users off of the
network to their local machines and changing their rights such as power
user, restricted or administrator. I don't want them to be able to see group
that I configured or other user accounts. I thought from reading the
microsoft books and studing alot that the administrative account on the
local machine didn't have admin rights on the domain or am I crazy.
 
circa Fri, 19 Dec 2003 15:01:08 -0800, in
microsoft.public.win2000.group_policy, =?Utf-8?B?SmFtZXM=?=
([email protected]) said,
Does anybody out there know if theirs any way to prevent users with administrative rights on there local machines from adding users off of the network to their local machines and changing their rights such as power user, restricted or administrator. I don't want them to be able to see group that I configured or other user accounts. I thought from reading the microsoft books and studing alot that the administrative account on the local machine didn't have admin rights on the domain or am I crazy.
Click to expand...
Do not give users administrative rights to their local machines.
Period. Since the machine is a member of the domain, yes, they can
add accounts from the domain to their machine's local groups.

Laura
 
Back
Top