GPO Question?

[ekke]

Hey
Im wondering how i would be able to have a person to have local administrive rights on his computer but not be able to change domain and edit local security rights.

if it can be done! How???

//:EkkE

 

[djtech2k]

I dont think you are going to be able to do this. If they are an admin, they are unlimited. If you have a domain, you may be able to grant some specific rights to them, but I still dont think you'll get your desired result.

 

[Seaspray0]

well, sorta, kinda.

A domain user can be granted local administrative rights on a local PC (please note that this doesn't mean they have administrative rights on the domain itself, just the local PC). This only gives them the rights to edit local policy... which is overwritten by DOMAIN policy. Policies are applied in the order: local, site, domain, OU, sub OU, and the last one that specifies a setting is what that setting will be. Local administrators do not have the authority to edit domain policy. You specify the last word on policy through the domain. Now, who are you going to give permissions to in your domain policy in reguards to adding/removing PC's from/to the domain? Does it really matter if they can edit the local policy if you can overwrite it with domain policy?


A+/MCP/MCSE/MCDBA

 

[ITAAGuyOR]

We do this routinely in our environment (1500 nodes) using group policy. Some end users are local pc administrators, and sometimes they screw around and change local security policies, but as SeaSpray0 pointed out, the domain security policy overrides the changes they made (in our environment, within 90 minutes) so no matter what the end user does, they can't break "things" for more than 90 minutes at a time. You can set a group policy refresh rate lower than 90 minutes (I.E. 15 minutes), but I don't recommend this in environments with more than a few hundred clients. HTH