I've wanted to accomplish exactly the same thing in several organizations I've worked with, and, unfortunately,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
there isn't a good solution. You're left with several options, each of which isn't wholly satisfying:
- Add all users to the administrators group on every machine in your domain. This obviously raises security concerns as every user now has admin control over every computer.
- Create separate policies for each user in the organization. This is not a scalable solution!
- Use a middle-ground solution that divides computers into Active Directory Organizational Units (OUs) and assigns rights based upon OU membership. You'll still have the same security concerns as the first option, but it's a little more workable, as an individual's admin rights are limited to systems in the OU.
Let's all hope that Microsoft does something to address this in a future version of Group Policy!
For more information:
- Do the Group Policy Object and 'Password Never Expires' flag interact? Read more.
- Learn about the pros and cons of using stand-alone authentication that is not Active Directory-based.
Dig Deeper on Active Directory and LDAP Security
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.