access only for users who connect to domain

[kaycee]

hi there

i'm having a windows 2000 domain.

i want to limit all access into directories only for domain who does logon into the domain.

the problem is that the clients have local administrators on their computers so i cant force them to log into the domain.

so these users can access resources with other users username + password.

anyone has any idea how to limit it ?

(i thought to set permissions for Domain Computers, but old computers account remain in the AD what makes a big mass)

please help !

Thanks ahead

eyal

[pthomas]

Why do any of the users have a local admin account? That really takes the point of you being a system admin totally away.

If a user needs admin access on a PC, add their domain account to the power users group on the local PC. Don;t make them local admins. Otherwise, if they have a local admin account, you can NOT stop them from loggin on locally or even removing your access from that computer since they are an administrator of that PC. They have to logon to the domain for domain policies to take affect, so even if you had domain restrictions, logging on locally bypasses them.

Remove all local admin accounts and make them have to use their domain account to sign onto the computer.

You can safely delete old computer names from the domain.

Paul