Restrict Desktop Administrators Issue

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

I run a small Win2k native mode network with 28 servers,
400 desktops and 6 desktop administrators. All desktop
admins are members of the Domain Admins group.

Due to a recent change in the security policy I've been
told to restrict my six desktop admins yet still allow
them to administer all of the desktops, for desktop
support purposes.

I want to restrict them from logging onto the servers and
managing user accounts. I do not want to stop them from
managing, configuring and administering the users desktops.

My earlier attempts to get this done has failed!!! I've
added the desktop support people to a new group
named "Desktop Support" and then I created a new group
policy which denies them log on access to the servers OU.
Since these guys are Domain Admins my policy restriction
is not working. They can still logon to the servers.

I thought that the deny permission was supposed to take
priority over the allow permission. Please help as I'm
being pressured to deliver a solution on this security
threat.

I passed the Win 2k Server Exam so I'm not at a total loss
of NTFS permissions. I just don't know what I'm doing
wrong here. Does this require changing ADSI info, taking
them out of the Domain Admins group or something else?

My desktop guys need to be administrators on all the
desktops whenever they logon with their account, but I do
not want them to be able to perform any account management
or server administration.

Thanks,

Jason
 
Jason said:
I run a small Win2k native mode network with 28 servers,
400 desktops and 6 desktop administrators. All desktop
admins are members of the Domain Admins group.

Due to a recent change in the security policy I've been
told to restrict my six desktop admins yet still allow
them to administer all of the desktops, for desktop
support purposes.

I want to restrict them from logging onto the servers and
managing user accounts. I do not want to stop them from
managing, configuring and administering the users desktops.

My earlier attempts to get this done has failed!!! I've
added the desktop support people to a new group
named "Desktop Support" and then I created a new group
policy which denies them log on access to the servers OU.
Since these guys are Domain Admins my policy restriction
is not working. They can still logon to the servers.

I thought that the deny permission was supposed to take
priority over the allow permission. Please help as I'm
being pressured to deliver a solution on this security
threat.

I passed the Win 2k Server Exam so I'm not at a total loss
of NTFS permissions. I just don't know what I'm doing
wrong here. Does this require changing ADSI info, taking
them out of the Domain Admins group or something else?

My desktop guys need to be administrators on all the
desktops whenever they logon with their account, but I do
not want them to be able to perform any account management
or server administration.
Click to expand...

Take them out of Domain Admins.
Make a new group, put them in it.. Push out that group to be loacl admins on
all Workstations. (Group Policies, Startup Scripts, Logon Scripts, PSEXEC,
SMS or whatever your favorite method is..)
 
The easiest way is as follows.

1) Remove them all from the Domain Admins group
2) Delegate any required AD privileges (Create Computer Objects etc) on the
OU containing the workstations.
3) Use the Restricted Groups section of Group Policy to add Desktop Support
to the local Administrators group on the individual workstations.

Hope that helps,

AndyC
 
Back
Top