|
-
March 10th, 2005, 11:16 PM
#12
If i might I'd like to clarify some things here that seem to be "fuzzying" this whole conversation.
Definitions:-
1. Domain Administrator: A domain admin is an administrator of a Windows AD domain. He may administer all things in the domain, (except two but we'll forget those for this discussion). While a domain administrator cannot be removed form their ability to admin the domain through AD Users & Computers etc. They most certainly can be restricted from admin privs on individual works stations etc.
2. Local Administrator: This chap is the admin of a workstation or server, (except an AD controller that have no users or admins). He has no control over any domain functions and I don't even believe that a local admin of a workstation could be added to the domain admins group in AD - though I'm sure someone has a nice little hack for that one if you have admin acess to a DC.
The user groups are similar. A user on a workstation can't be a user in a domain. A user has to be added to AD as a domain user and log into the domain to have privs there. They will, at a minimum be a user of the workstation if they successfully authenticate to the domain. A domain user can be added to the local admin group of any specific workstation or non AD server by going to the Users section in control panel or under My Computer - Manage and added to the Admin group by selecting the domain as the source of the list of users and selecting the appropriate user from that list.
In short there is a huge difference between "Local" and "Domain". They are utterly different and there is no "Local Users" or "Local Administrators" group in any AD install I ever came across.
So.... having said that....
Earthbound.. What is the problem, precisely?
You are saying that you aren't a domain admin but you seem to be saying that you are adding users to groups in AD.... You can't.... Are you _sure_ you don't mean you are doing it on a workstation and adding them to the Administrators group there?
You also say you aren't a domain admin but that you can go to any computer and do what you want.... that leaves two scenarios possible:-
1. Your domain admins have either domain users or authenticated users added to the local administrators group of each workstation - That would be considered bad....
2. You are a domain admin and don't know it since domain admins are added to the local admin group of any workstation that joins a domain by default - again, this is bad.
Another possibility:-
Are you sure that you have not been delegated authority over an OU, (Organizational Unit)? This would grant you local admin privs without you being a domain admin.....
So.... If you want to give a user admin privs on a workstation then go ahead and do it through control panel or My Computer - Manage, (if you can), and don't do it to any other workstation and you will be fine.....
But my best piece of advice to you at this point is to do two things:-
1. Learn the differences between domain and local, AD and Users and how they apply in an AD environment
2. Go and ask your domain admin what rights you have, _exactly_ and how they are derived, (through AD, therefore a domain admin, (albeit a very limited one), or through AD as a delegation or simply because they ran a script on certain computers to make you a local admin.
Hope that clarifies the terminology and the differences.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote