Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to grant a global group the same access as domain admins.

Posted on 2004-11-23
24
Medium Priority
?
349 Views
Last Modified: 2010-04-11
I would like a group other than Domain Admins to have the same access as Domain Admins, such as full access to servers and workstations. Auditors want a list ot Domain Admins so i want as least people in there as possible.

ALSO

When you join a machine to the domain it automatically adds Domain Admins to the local Administrators group, can this be set to add another group also?

Thanks!
0
Comment
Question by:wreed420
24 Comments
 
LVL 2

Expert Comment

by:kinveachy
ID: 12661689
I would  create a new group and just make it a member of Domain Admins.  Then whoever you put in that new group will have the same access.
0
 

Author Comment

by:wreed420
ID: 12661967
That will not work, besides the only group or user i want in Domain Admins is my administrator account.
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 12664021
I would create a new group and make it a member of DomainName/Builtin/Administrators and maybe also of Enterprise Admins, though this might not be needed.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 3

Expert Comment

by:_anom_
ID: 12670848
To also have certain groups added to the local administrators group on computers, you can use group policy.  This article explains the process well enough:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

Cheers
0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 2000 total points
ID: 12676860
Configure your domain to run in native mode. Then you will be allowed to insert a group inside another one. Once you'eve done that, insert your global group into the Domain Admins group.

You might also to take a look at this article
http://windows.about.com/library/weekly/aa010506a.htm

If you go for native mode, make sure you don't have any DC running pre-Windows 2000 OS.

Cheers.
0
 

Author Comment

by:wreed420
ID: 12677777
Rafael good idea I will try it.
0
 

Author Comment

by:wreed420
ID: 12677796
Rafael do you know if you could go into ADSI and add the same permissions as Domain Admins in to the AD? i tried it but it does not seem to work administrating computers and servers, but they do have full access to edit the AD.
0
 

Author Comment

by:wreed420
ID: 12677805
Can you add a built in group to a gloabl group?
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677838
Any type of groups can be added to a global group, including another global group. However, groups nesting is allowed only when running the domain in native mode (at least this is what I remember now). Have you check the article I gave you. I think it's written there something about it! It must be!

ADSI is actual a programming interface (the Active Directory API). So what do you mean by "going into ADSI" ?


Cheers
0
 

Author Comment

by:wreed420
ID: 12677854
ADSIis the raw data of the active directory, where you can edit and delete object you cannot see otherwise. Anyway i defined security to a group on my domain in ADSIedit.

I would really like to add the Built-in administrators group of my domain to the domain admins, i tried and could not, you try and see if you have luck.

Thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677871
I did it before. You can do it! Are u running in native mode?
0
 

Author Comment

by:wreed420
ID: 12677879
yes i am Windows 2003 Server native mode
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677887
How many DC you have?
0
 

Author Comment

by:wreed420
ID: 12677893
2 in the test domain and i using
0
 

Author Comment

by:wreed420
ID: 12677895
in the same site
0
 

Author Comment

by:wreed420
ID: 12677897
i added a global group to a global group but i am unable to add a built-in group to a global group
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677907
http://myitforum.techtarget.com/articles/11/view.asp?id=2457
Ok. I thought you were saying that you cannot add a global group to the local admin group.
Do you have multiple domains?
0
 

Author Comment

by:wreed420
ID: 12677920
i actually want to do exactly oppisite of the article you sent me.

yes i have 40+ domains in my enterprise
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677929
:S Daaaamn !!!

:) OK. That's nice. So you want to add a built-in group to a global group.... Well, you can add to a global group only users and groups from the same domain!!! If the built-in group is located in another domain ... there's still a solution ... but it's a bit dependent on the network design ... therefore might not be recomandable.

So ... let me know ... Is this built-in group located into another domain?!

0
 

Author Comment

by:wreed420
ID: 12677945
no i want to add the built-in administrators group of my TSB domain to the Domain Admins of my TSB domain.

All other domains i just trust and are root/data center/mainframe/client domains dont need to mess with those
0
 

Author Comment

by:wreed420
ID: 12677957
my Auditors look whose a member of Domain Admins, not Administrators. I am trying to be steakey to give my guys full access.
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677989
The problem is that the domain admins group is a domain local group. therefore, you just cannot add a global group to the domain local group. Have you tried the delegation wizard?

Try also the following:

The official Microsoft-sanctioned method for using groups in a domain setting is known
as the A-G-DL-P method.

(A) Take the user Account and place it in a
(G) Global group, then take the global group and place it into a
(DL) Domain Local group, after which you assign
(P) Permissions to the domain local group.

Of course, always following this method is not practical.  You have to use common sense and judgment when assigning groups to permissions.  The above is just an official Microsoft guideline.

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12677998
"built-in administrators group of my TSB domain to the Domain Admins of my TSB domain"
"built-in administrators group" seems to me like a realy local group not a domain local group. So, this group would be located in any domain. Therefore you JUST CANNOT add a group/user outside the domain to the global group. It has to be from the same domain.]

Oh ... one more ... Are you talking here about the "adminstrators" LOCAL GRoup!!! Not the domain local group but LOCAL GROUP". because its a local group it doesn't seem to me possible as groups thake
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12678020
keep in touch ... I'm a bit tired now ... but I think maybe i'm missing something here ... I just cannot think ... But I'm sure it can be done ...#
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
Experts Exchange expands question security options for members.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question