E
Eugene Taylor
You could create the group on the DC add the users to it. Then go to the
workstations and add that group to the local admin group.
workstations and add that group to the local admin group.
Dan Tindell said:We have an AD domain where other offices join the domain via VPN. My problem
is in administrators. I need to give one or 2 people at each office the
ability to have administrator priv's on all local 2k machines for the
purpose of updates but I don't want them to have admin rights on our
servers.
My first thought was "domain admin" but that is part of the Administrators
group.
By default, with Windows 2000, when you join a domain, domain admins and
administrators has local admin rights on that computer to do things such as
"Windows Updates", change network settings, add programs etc. You can't
just create a group called Local Domain Admin then add them as a user
account with admin rights because you can't add groups... only users locally
on each station.
I thought of removing domain admins from the administrators group on the
domain and adding those users from each office to the domain admin but I'm
not sure that it would be the right approach or would work.