May 24th, 2005 09:11 PM
Suppose you have two groups, "Workstation admins" and "Server admins", neither of which is in "Domain admins", hence they don't have control over Active Directory; neither of them has admin rights on any domain controller, and neither of which has admin privileges on the other group's machines.
If a workstation admin ever logs into a server, or vice versa, then that group can potentially gain the others' passwords. This is because, with local admin rights, you can take control of a machine remotely and use the other users' permission to do whatever your want.
May 25th, 2005 02:31 PM
hey zooligan - you wouldn't happen to be in Atlanta would you?
May 27th, 2005 05:28 PM
another way... i'm not gonna go into details is to install a script/batch to run at startup which will automatically add an user into to domain admin group given that it is run while authorised person is logged in.