disallow dom admin login at work-st?

By default the "domain admin" account is added to the
local "administrator" account on all domain members when
joining the domain. If you want to prevent "domain admin"
accounts from logging locally to workstations then remove
the "domain admin" account from the local "administrator"
account on the local machines.

By default only "domain admins" or domain "administrators"
can logon locally to a DC.
"Hernán Castelo" <(E-Mail Removed)> wrote in message news:
hi
can i disallow
login as admins of domain controller
from the workstations?

that is, admins of DC
only can log in the server .

thanks

hi
can i disallow
login as admins of domain controller
from the workstations?

that is, admins of DC
only can log in the server .

thanks


--
atte,
Hernán Castelo
SGA - UTN - FRBA

By default, users can't log in locally or via TS to a server.

Hernán Castelo wrote:
> hi
> can i disallow
> login as admins of domain controller
> from the workstations?
>
> that is, admins of DC
> only can log in the server .
>
> thanks

In AD Users and Computers you can restrict which domain computers a user can logon to in their user account properties. Also you can use the user right for logon locally and deny logon locally to restrict what computers a user can logon to. In the appropriate security policy user rights are located under security settings/local policies/user rights.

Having said that, domain admins are all powerful in the domain and can change any policy or user restriction in the domain so you can not realistically restrict them. I would not make someone a domain admin if I could not trust them. Also many functions in the domain can be delegated to regular users including creating and managing user and computer accounts. --- Steve
"Hernán Castelo" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
hi
can i disallow
login as admins of domain controller
from the workstations?

that is, admins of DC
only can log in the server .

thanks


--
atte,
Hernán Castelo
SGA - UTN - FRBA

thanks everybody

what are the main reasons
for disallow work-st to log as admin of dom ?
what are the risks of allow
dom admin account
log on work-st ?
password or permissions can be hacked?

thanks

--
atte,
Hernán Castelo
SGA - UTN - FRBA

"Hernán Castelo" <(E-Mail Removed)> escribió en el mensaje news:(E-Mail Removed)...
hi
can i disallow
login as admins of domain controller
from the workstations?

that is, admins of DC
only can log in the server .

thanks


--
atte,
Hernán Castelo
SGA - UTN - FRBA

A domain administrator should not be logging onto non secured domain workstations to do work that does not require domain admin credentials, and they should know that. You can create a domain global group to add to the local administrators group on domain computers and that group can be a regular user in the domain. That can be done by using Group Policy and "Restricted Groups" at the Organizational Unit level or by a Group Policy startup script. The main risk is that an unsecured typical domain computer may have a keyboard logger, mini camera, or such installed on/near it by a trojan or malicious user to capture users passwords. What I mean by unsecured domain computer is a computer that is not in a locked office or otherwise secured to prevent only authorized users to have physical access to it.

http://support.microsoft.com/default...;EN-US;Q320065 -- note this will remove any current users/groups in the local administrators group other than the built in administrator.
"Hernán Castelo" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
thanks everybody

what are the main reasons
for disallow work-st to log as admin of dom ?
what are the risks of allow
dom admin account
log on work-st ?
password or permissions can be hacked?

thanks

--
atte,
Hernán Castelo
SGA - UTN - FRBA

"Hernán Castelo" <(E-Mail Removed)> escribió en el mensaje news:(E-Mail Removed)...
hi
can i disallow
login as admins of domain controller
from the workstations?

that is, admins of DC
only can log in the server .

thanks


--
atte,
Hernán Castelo
SGA - UTN - FRBA