Local Administrator on laptop has too much access

[news.microsoft.com]

Hi:

I'm having a problem with folder security. Everything that I've planned
to do works fine when
my test users are logged into the domain with their accounts or are simply
logged in locally on their laptops as with local User rights.

The problem is that most users who plug into our network
have their own laptops to which they are configured as Administrators of
their laptops. They
don't have domain accounts. So folder permissions don't work anymore.

The scenario is that they'll be browsing on the network file server. From
what I've read and tested,
the Administrators on the local computer are automatically in the Domain
Administrators group; therefore,
giving any public user with Administrator access to their laptop complete
Admin access to my file server.

How do I get around this?

Do

 

[Steven L Umbach]

That is not how it works. In a default installation for a domain computer,
the domain admins group is added to the local administrators group on the
domain member. The allows domain administrators to also be administrators on
all domain machines. Being in the local administrators group on any domain
or non domain computer gives a user no special powers in the domain. If
using their laptops on your domain is acceptable [there are a lot of
associated risks], then just tell them to creat a local account on their
laptops that has the same user logon name/password as their domain account
and they will have domain user access to resources unless you have things
like ipsec policies in place. --- Steve