I run a small Win2k native mode network with 28 servers,

400 desktops and 6 desktop administrators.  All desktop

admins are members of the Domain Admins group.



Due to a recent change in the security policy I've been

told to restrict my six desktop admins yet still allow

them to administer all of the desktops, for desktop

support purposes.



I want to restrict them from logging onto the servers and

managing user accounts.  I do not want to stop them from

managing, configuring and administering the users desktops.



My earlier attempts to get this done has failed!!!  I've

added the desktop support people to a new group

named "Desktop Support" and then I created a new group

policy which denies them log on access to the servers OU.

Since these guys are Domain Admins my policy restriction

is not working.  They can still logon to the servers.



I thought that the deny permission was supposed to take

priority over the allow permission.  Please help as I'm

being pressured to deliver a solution on this security

threat.



I passed the Win 2k Server Exam so I'm not at a total loss

of NTFS permissions.  I just don't know what I'm doing

wrong here. Does this require changing ADSI info, taking

them out of the Domain Admins group or something else?



My desktop guys need to be administrators on all the

desktops whenever they logon with their account, but I do

not want them to be able to perform any account management

or server administration.



Thanks,



Jason

If u still await for the solution i can give one

Jason wrote:

> I run a small Win2k native mode network with 28 servers,

> 400 desktops and 6 desktop administrators.  All desktop

> admins are members of the Domain Admins group.

>

> Due to a recent change in the security policy I've been

> told to restrict my six desktop admins yet still allow

> them to administer all of the desktops, for desktop

> support purposes.

>

> I want to restrict them from logging onto the servers and

> managing user accounts.  I do not want to stop them from

> managing, configuring and administering the users desktops.

>

> My earlier attempts to get this done has failed!!!  I've

> added the desktop support people to a new group

> named "Desktop Support" and then I created a new group

> policy which denies them log on access to the servers OU.

> Since these guys are Domain Admins my policy restriction

> is not working.  They can still logon to the servers.

>

> I thought that the deny permission was supposed to take

> priority over the allow permission.  Please help as I'm

> being pressured to deliver a solution on this security

> threat.

>

> I passed the Win 2k Server Exam so I'm not at a total loss

> of NTFS permissions.  I just don't know what I'm doing

> wrong here. Does this require changing ADSI info, taking

> them out of the Domain Admins group or something else?

>

> My desktop guys need to be administrators on all the

> desktops whenever they logon with their account, but I do

> not want them to be able to perform any account management

> or server administration.



Take them out of Domain Admins.

Make a new group, put them in it.. Push out that group to be loacl admins on

all Workstations. (Group Policies, Startup Scripts, Logon Scripts, PSEXEC,

SMS or whatever your favorite method is..)



--

<- Shenan ->

--

The information is provided "as is", with no guarantees of

completeness, accuracy or timeliness, and without warranties of any

kind, express or implied.  In other words, read up before you take any

advice - you are the one ultimately responsible for your actions.

The easiest way is as follows.



1) Remove them all from the Domain Admins group

2) Delegate any required AD privileges (Create Computer Objects etc) on the

OU containing the workstations.

3) Use the Restricted Groups section of Group Policy to add Desktop Support

to the local Administrators group on the individual workstations.



Hope that helps,



AndyC



"Jason" <sittingbull7@hotmail.com> wrote in message

news:b0b3780f.0406030004.41bb6383@posting.google.c  om...

> I run a small Win2k native mode network with 28 servers,

> 400 desktops and 6 desktop administrators.  All desktop

> admins are members of the Domain Admins group.

>

> Due to a recent change in the security policy I've been

> told to restrict my six desktop admins yet still allow

> them to administer all of the desktops, for desktop

> support purposes.

>

> I want to restrict them from logging onto the servers and

> managing user accounts.  I do not want to stop them from

> managing, configuring and administering the users desktops.

>

> My earlier attempts to get this done has failed!!!  I've

> added the desktop support people to a new group

> named "Desktop Support" and then I created a new group

> policy which denies them log on access to the servers OU.

> Since these guys are Domain Admins my policy restriction

> is not working.  They can still logon to the servers.

>

> I thought that the deny permission was supposed to take

> priority over the allow permission.  Please help as I'm

> being pressured to deliver a solution on this security

> threat.

>

> I passed the Win 2k Server Exam so I'm not at a total loss

> of NTFS permissions.  I just don't know what I'm doing

> wrong here. Does this require changing ADSI info, taking

> them out of the Domain Admins group or something else?

>

> My desktop guys need to be administrators on all the

> desktops whenever they logon with their account, but I do

> not want them to be able to perform any account management

> or server administration.

>

> Thanks,

>

> Jason

Thanks for the quick replies I'll let you guys know if it works.



Thank you,



Jason.