Domain adm X local adm

  • Thread starter Thread starter Thiago Zanolo Mainente - Jornal Regional
  • Start date Start date
T

Thiago Zanolo Mainente - Jornal Regional

First thanks to all!

The diference between domain adm and local adm is:
- domain adm: can create domain accounts, create OU, changes at dns, dhcp,
wins, he can do everything.
- local adm: (from workstations) can add new hardware at his workstation,
change conecction parameters, etc.

So, if I have 100 workstations will I need to create at every workstation a
locall account with adm power? Its because here were I work the
adminstration account of my domain can log at every workstation but it can`t
change hardware. The domain adm doesn`t have local adminstration power.

How can I resolve it?

Thanks
 
First thanks to all!

The diference between domain adm and local adm is:
- domain adm: can create domain accounts, create OU, changes at dns, dhcp,
wins, he can do everything.
- local adm: (from workstations) can add new hardware at his workstation,
change conecction parameters, etc.

So, if I have 100 workstations will I need to create at every workstation a
locall account with adm power? Its because here were I work the
adminstration account of my domain can log at every workstation but it can`t
change hardware. The domain adm doesn`t have local adminstration power.

How can I resolve it?
Click to expand...

By default, Domain Admins are part of the local Admninistrators group.
Is that not the case in your environment?
 
Thanks to all. I put some users into Domain adminins and works perfect.

Thanks.
 
Thanks to all. I put some users into Domain adminins and works perfect.
Click to expand...

What? Are you serious?

You stated originally that the Domain Administrator couldn't install
hardware at local PCs. How is granting Domain Users the privileges of
Domain Admins going to solve that situation?

As I said before, Domain Admins should be members of the local
Administrators group. If that is not the case in your environment, you
should investigate why not, and rectify it, probably in a login script
along the lines of:
NET LOCALGROUP ADMINISTRATORS /ADD "Domain Admins"

I suggest you think about the consequences of making any domain users
members of Domain Administrators. I run a fairly permissive network here
with only a few and rather educated and responsible users, but it would
never occur to me to grant any of them Domain Admin rights.
 
there was no one int Domain admins, so no one can add new hardware. I have
to manually add at every workstation the user who will add new hardware. We
have a lot of workstations, and the same guy will add hardware to every
workstation.
So I put these guy into Domain Adminins and now he can add new hardware and
software easily.
Does he can do some changes at my domain, like make changes ad AD, florests,
DC, or others things. Because I want that he has full administrative power
only at the worstations...
 
Back
Top