Šīsdienas domu grauds

-Kāds ir visvieglākais veids sakašķēties ar kolēģiem?
-Noņemot Local Administrator tiesības.
Nekas, tanki no dubļiem nebaidās.

Laikam Local Administrator piemīt kāda neaptverama burvība un brīvības garša, kuru noņemot cilvēks liekas iesprostots un pazemots, kaut gan reāli viņām ko uzinstalēt vajag reizi gadā.

Būs grūti- cilvēku vairāki tūkstoši, visi ir personības un katram ir savs viedoklis kāpēc viņam nepieciešams būt par noteicēju.
Bet ar katru tādu cīņu pieaug skill un pārliecība par sevi (argumentēt,aizstāvēt savu viedokli, utml).

Skripts, kurš ļaut AD atrast lietotājus, kuriem ir šādas tiesības:
Aizgūts no šejienes.

Listing Members of the Local Administrators Group of Computers in a Domain
Here’s a script which lists all members of the local administrators group for each computer in a domain. The computers.ini file contains the list of hostnames of all computers in the domain whereas the results.csv file will store the local administrators information. The usual disclaimer applies:

Un neliels ieskats kā organizēt šādu tiesību piešķiršanu aizgūts no šejienes:

How to control PC local admin members by Active Directory security groups???

What is the best strategy for controlling PC local admin members by Active Directory security groups?For exampleif I was to create a global security group (adding members) anda local security group in AD, then assign the local security group to the local administrators security group on a PC, this would give all the members of the global security group in AD local admin access on this PC. But this would be wrong. We only need to give specific people local admin access to specific PC’s.
kentg6
June 29th, 2009 12:01am
At my work, we made an Active Directory group with only accounts that would be used for local server administration. Then add that group to the local administrators group. This will limit the amount of users having administrative access. I have two ID’s that I use on a daily basis. One that is an administrator of my laptop and no rights to my servers. The second is an administrative user ID that is only able to administer the servers. Hope this helps in some way! : )
NickHunyady
June 29th, 2009 12:34am
HelloIt will be easier for you to just create a global group specific for granting local admin rights. That way only people that you want to access pc locally go to be members of that group.Also, look into restricted groups via GPO as well,..check this blog for more info on thathttp://
www.frickelsoft.net/blog/?p=13Isaac
Oben MCITP:EA, MCSE
Isaac Oben
June 29th, 2009 1:36am
The best way to control local admin rights, imho, is to have a HR-endorsed corporate policy that defines who can have the admin rights, the scope, roles and responsibilities of a local admin, and revocation of this privilege in the event that your user violatea any of the provisions of the policy. Then create a process for the request and granting of admin rights; this would ensure that only those requesting for admin rights on specific PCs will be granted the rights on the machines. If you need to make a certain group of people to be local admins of ALL your computers, create a global group, add these users to this group and add this group to the local administrators group of all the computers; this should be easily done through AD [using restricted groups], or via a script.Regards,Salvador Manaois IIIMCITP | Enterprise & Server AdministratorMCSE MCSA MCTS(x5) CIWA C|EH My Blog: Bytes and BadzMy Shots:View MyPhotoStream
Salvador Manaois III
June 29th, 2009 2:35am
Hello,as already mentioned Restricted groups is the option to handle this. If you have really less people for less machines you can of course add them by hand on the local machine.Best regards

Meinolf Weber
Disclaimer: This posting is provided “AS IS” with no warranties, and confers
no rights.

Leave a Reply