Restrict Desktop Administrators Issue

View Full Version : Restrict Desktop Administrators Issue

Jason

I run a small Win2k native mode network with 28 servers,
400 desktops and 6 desktop administrators. All desktop
admins are members of the Domain Admins group.

Due to a recent change in the security policy I've been
told to restrict my six desktop admins yet still allow
them to administer all of the desktops, for desktop
support purposes.

I want to restrict them from logging onto the servers and
managing user accounts. I do not want to stop them from
managing, configuring and administering the users desktops.

My earlier attempts to get this done has failed!!! I've
added the desktop support people to a new group
named "Desktop Support" and then I created a new group
policy which denies them log on access to the servers OU.
Since these guys are Domain Admins my policy restriction
is not working. They can still logon to the servers.

I thought that the deny permission was supposed to take
priority over the allow permission. Please help as I'm
being pressured to deliver a solution on this security
threat.

I passed the Win 2k Server Exam so I'm not at a total loss
of NTFS permissions. I just don't know what I'm doing
wrong here. Does this require changing ADSI info, taking
them out of the Domain Admins group or something else?

My desktop guys need to be administrators on all the
desktops whenever they logon with their account, but I do
not want them to be able to perform any account management
or server administration.

Thanks,

Jason

Shenan Stanley

Jason wrote:
> I run a small Win2k native mode network with 28 servers,
> 400 desktops and 6 desktop administrators. All desktop
> admins are members of the Domain Admins group.
>
> Due to a recent change in the security policy I've been
> told to restrict my six desktop admins yet still allow
> them to administer all of the desktops, for desktop
> support purposes.
>
> I want to restrict them from logging onto the servers and
> managing user accounts. I do not want to stop them from
> managing, configuring and administering the users desktops.
>
> My earlier attempts to get this done has failed!!! I've
> added the desktop support people to a new group
> named "Desktop Support" and then I created a new group
> policy which denies them log on access to the servers OU.
> Since these guys are Domain Admins my policy restriction
> is not working. They can still logon to the servers.
>
> I thought that the deny permission was supposed to take
> priority over the allow permission. Please help as I'm
> being pressured to deliver a solution on this security
> threat.
>
> I passed the Win 2k Server Exam so I'm not at a total loss
> of NTFS permissions. I just don't know what I'm doing
> wrong here. Does this require changing ADSI info, taking
> them out of the Domain Admins group or something else?
>
> My desktop guys need to be administrators on all the
> desktops whenever they logon with their account, but I do
> not want them to be able to perform any account management
> or server administration.

Take them out of Domain Admins.
Make a new group, put them in it.. Push out that group to be loacl admins on
all Workstations. (Group Policies, Startup Scripts, Logon Scripts, PSEXEC,
SMS or whatever your favorite method is..)

--
<- Shenan ->
--
The information is provided "as is", with no guarantees of
completeness, accuracy or timeliness, and without warranties of any
kind, express or implied. In other words, read up before you take any
advice - you are the one ultimately responsible for your actions.

Andy Cadley

The easiest way is as follows.

1) Remove them all from the Domain Admins group
2) Delegate any required AD privileges (Create Computer Objects etc) on the
OU containing the workstations.
3) Use the Restricted Groups section of Group Policy to add Desktop Support
to the local Administrators group on the individual workstations.

Hope that helps,

AndyC

"Jason" wrote in message
news:b0b3780f.0406030004.41bb6383@posting.google.com...
> I run a small Win2k native mode network with 28 servers,
> 400 desktops and 6 desktop administrators. All desktop
> admins are members of the Domain Admins group.
>
> Due to a recent change in the security policy I've been
> told to restrict my six desktop admins yet still allow
> them to administer all of the desktops, for desktop
> support purposes.
>
> I want to restrict them from logging onto the servers and
> managing user accounts. I do not want to stop them from
> managing, configuring and administering the users desktops.
>
> My earlier attempts to get this done has failed!!! I've
> added the desktop support people to a new group
> named "Desktop Support" and then I created a new group
> policy which denies them log on access to the servers OU.
> Since these guys are Domain Admins my policy restriction
> is not working. They can still logon to the servers.
>
> I thought that the deny permission was supposed to take
> priority over the allow permission. Please help as I'm
> being pressured to deliver a solution on this security
> threat.
>
> I passed the Win 2k Server Exam so I'm not at a total loss
> of NTFS permissions. I just don't know what I'm doing
> wrong here. Does this require changing ADSI info, taking
> them out of the Domain Admins group or something else?
>
> My desktop guys need to be administrators on all the
> desktops whenever they logon with their account, but I do
> not want them to be able to perform any account management
> or server administration.
>
> Thanks,
>
> Jason