|
Posted by Steven L Umbach on September 27, 2005, 7:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Not really. Local administrators are all powerful on that computer within
what they know how to do with the operating system. Depending on their
knowledge you could use Group Policy user configuration/administrative
templates -- various settings to disable their access to the local user and
groups Management Console, hide Control Panel, command prompt, etc. If you
configure such settings at the domain/OU level they will not apply if the
user logs onto the "local" computer not using a domain account. You can also
use Group Policy Restricted Groups to enforce membership of local computer
groups if you use RG at the OU level which would remove unauthorized members
at the next GP computer configuration refresh on the domain computer. The
links below explains more on how to use RG. --- Steve
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/611.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> Hi to all,
>
> I have a question. I need your help. We granted some employees' network
> account to local admin group to run some applications. However, they have
> used this permission to grant someone else to access that box too. Are
> There
> any ways to restrict them to use local admin right to grant someone
> permission to box? I did test at OU but no luck. Any ideas should be
> appreciated. Thanks.
>
> Tu Nguyen
>
>
| 
XML site map