Архив

Posts Tagged ‘Active Directory’

How To Force Adding Of Domain Admin Group to Local Admin Group

How To Force Adding Of Domain Admin Group to Local Admin Group
Introduction:

A common problem in Windows domain management is the removing of Domain Admin group from Local Admin group by users. This operation prevent from the Domain Admin group to connect to Administrative shares (like c$), log on to user workstation/server, track on user activity and so on.
Using «Restrict Groups» option from Windows 2000/2003 GPO impose some solution for this problem, but if there local users on the workstation/server, this option inefficient, and may harm the workstation/server users.

Machine Script Solution:

By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that «Restrict Groups» option from Windows 2000/2003 GPO create.

The script structure:

Script Name: Machine_Startup_Script.vbs (You can use any name that you like,
But you need to verify that the file name suffix end with
*.vbs).

Operation Interval: Each machine startup or/and shutdown.

‘Beginning Of the Script

On Error Resume Next

‘get main objects/variables
Set ws = WScript.CreateObject ( «WScript.Shell» )
compname = ws.ExpandEnvironmentStrings ( «%COMPUTERNAME%» )
Set adGrp = GetObject ( «WinNT://» & compname & «/Administrators,group» )

‘add domain groups to local admin group
adGrp.Add ( «WinNT://mywindowsdomain/Domain Admins,group» )

‘End of the Script

mywindowsdomain = The NetBIOS name of the Domain that the user workstation log into.

Sentence that begin with » ‘ » use for a comment only.

After creating the script, we need add this script to Domain Default GPO – as
Computer startup or/and shutdown script and we done.

Reference:

Script Center
http://www.microsoft.com/technet/community/scriptcenter/default.mspx

Windows 2000 Computer Startup Scripts:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/optimize/startw2k.asp?frame=true

Active Directory Services and Group Policy in Windows Server 2003:
http://www.microsoft.com/israel/events/downloads/ws2003event/Active_Directory.ppt

Windows 2000 Group Policy:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

How to Run Programs as a Domain User from a Non-domain Computer

In most cases, not being joined to a client’s domain doesn’t make one iota of difference. You need to access a network share or printer, browser to it and you will be prompted for domain credentials. The fact that you’re using different domain credentials to access the resource from those that you logged in with doesn’t matter one bit. If you want to expedite the process and not wait for an authentication time-out, you can utilize NET USE from the command line to tell Windows which credentials you want to use when accessing certain computers. You can even make them persistent or roll the whole thing into a batch script that you can execute whenever at a particular client.

net use \\server /user:domain\username /persistent:yes

Unfortunately this doesn’t work in all cases. One of my longstanding development pet peeves has been certain tools – I’m looking at you SQL Server Management Studio and SQL Query Analyzer – that don’t allow you to specify alternate domain credentials for authentication. For example, SQL Server Management Studio allows you to log into a SQL Server instance using Windows Authentication or SQL Server Authentication. If the SQL instance requires Windows Authentication – the recommended configuration – SQL Server Management Studio uses your logged in credentials. This works well if your computer is part of the domain, but fails horribly if not. It doesn’t let you specify alternate credentials or even prompt you for alternate credentials if the log-in fails.

Тег «Далее»

Рубрики:Active Directory, Microsoft Метки: ,

Как подключить Samba 3 сервер к домену Active Directory