Permissions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've given a local user on the domain Administrative rights on their local machine. But I found out by doing this it allows this user with administrative rights to add users off of the domain to their local computer and change their rights such as restricted, power user or administrator. Is their any policy that I can apply that will prevent any user from add users from the domain to their local machine if they have administrative access. In my environment I have Windows 2000 domains with windows xp clients.
 
James,

Take a look at the restricted groups setting in the Computer Config section
of a GPO. Basically, what you can do here is configure the membership for
any local group on a computer, and then everytime the computer refreshes the
machine policy, ti will confirm that the group matches the GPO, or else
modify it.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com


James King said:
I've given a local user on the domain Administrative rights on their local
Click to expand...
machine. But I found out by doing this it allows this user with
administrative rights to add users off of the domain to their local computer
and change their rights such as restricted, power user or administrator. Is
their any policy that I can apply that will prevent any user from add users
from the domain to their local machine if they have administrative access.
In my environment I have Windows 2000 domains with windows xp clients.
 
Back
Top