By default, when a computer is joined to a domain the domain group Domain Users is joined to the local computer's Users group and the domain group Domain Administrators is joined to the local computer's Administrators group. Both of these settings can be changed to increase the security of your computers.

On the UCB campus you should not worry about removing the Domain Administrators group from the local Administrators group as only a few well trusted ITS employees are members of the Domain Administrators group. This is similar to the situation on other ITS systems like the e-mail servers. However, this group can be removed from the local Administrators group.

To configure a computer to allow only a specific group of users to login, follow these steps:

• Create a domain group containing the users that should have the right to use a computer
• Remove Domain Users from the local Users group
• Add the new group to the appropriate local group (this may be Users or Power Users)

This same technique can be used with an individual user account instead of a group if more controlled access is required.

Getting Help

help@colorado.edu