|
We're migrating from NT to AD domains, and I have a minor issue I'd like the board AD gurus to offer advice on.
I have a number of servers in an OU to which I want to apply some restrictive policies, however I don't want the restrictions to apply to admin accounts. I only want to apply the policies when the users log into those specific machines, not when they are using their desktop machines.
In the past I've forced the restricted machines to use a specific NTCONFIG.POL with restrictions set for "domain users" and explicitly unset for "domain admins", however I want to get away from local administration.
We have Windows 2000 machines, so I can't use WMI filtering on the policies.
As an example of a policy, I don't want users to be able to run cmd.exe on the restricted servers but they are allowed to use it on their desktop machines. Admins should always be able to start it of course.
| 
