Help

[Faisal Khan]

Hi
well i have smale network where i want to ristrict the
loacl administrator. beacuse local administrator can
access the domain shares without any password requirment
even the local administrator can access the administrative
shares like he can access every drive which is shared with
$ sign by default on every system on the domain
please help me and tell me how to get rid of this problem

Faisal Khan

 

[Diana Smith [MSFT]]

Hello Faisal,

There is no way to restrict an administrator account.

If the user is an admin, they can always revert the settings that you make.

The only way to perform this task, is to remove this user from the
Administrators group.

You can than use the Delegation of Control Wizard to assign specific task
to this user. Here is the information:

Best Practice for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-
9730-dae7c0a1d6d3&displaylang=en

Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/downloads/details.aspx?familyid=29dbae88-a216-45f9-
9739-cb1fb22a0642&displaylang=en

Thank You.

Diana

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Ron Bernier]

A local administrator account cannot access domain shares UNLESS the local
administrator username and password is the same as the domain administrator
.... To stop local administrators from having access to the domain shares, I
would recommend that you change the doman administrator password at a
minimum, and the username and password is suggested ... If you don't want
the local administrator accounts to be able to access the admin shares of
other local PCs, then set the "access this computer from the network" user
right on all PCs to only allow "Domain Admins" the right ...

As always, test these changes in your test environment prior to implementing
....