Active Directory & Domain Administrators

Posted on 2004-11-26
Last Modified: 2010-04-14
We have recently switched to Sever 2000 using Active directory and I now find myeself in a debate with one of our other network administrators.
Currently even though we are set up as Domain Administrators if we want to see or change any security settings (network address, security event logs, etc) on a computer within that domain we have to log on to that local machine as a local administator to give our domain id access as a local administrator.
To me this seems that we did something wrong when we first set things up, that as a network administrator we should automatically have full access to each machine that we log into so that changes can be made without having to jump through hoops first. However my co-worker thinks that it is perfectly normal and is all part of Active Directory. I have been wrong before so I am curious if I am again.

Any thoughts?

Question by:questioner
    LVL 41

    Accepted Solution

    No, this is not normal...  you can safely ignore your co-worker

    The Domain Admins group is automatically added to the PC's local Administrators group when the PC joins the domain.  Therefore, you should be able to walk up to any PC in the domain and login using your domain account (the account that's a member of the Domain Admins group) and have full administrators privilegdes.

    I can forsee a situation where if you had a subordinate domains (in a multiple domain forest) that membership in one Domain Admins group wouldn't give you any privilegdes at all on the other domain.
    LVL 20

    Assisted Solution

    This is true ie what graye has said - you may be interested in a way to correct this though? Just in case - you can assign scripts via startup scripts in group policy - they won't work via login script unoless a user is a local admin,
    Net localgroup
    Deb :))

    Author Comment

    Glad  to know that I am not completely off base.

    Thanks for the scripts to correct the problem, Deb, but it does confuse me. Are you saying that the scripts are something that would be required on all computers in any domain using 2000 or that they are a hack (for want of a better word) around a problem that we somehow created by doing something wrong at setup?

    I am guessing the latter since you are also agreeing with graye in that by being a domain administrator I should automatically have full access on all machine within the domain.

    LVL 20

    Expert Comment

    Yes that's correct - The scripts are a suggested way around your specific problem - and yes the default on any regular 2000 server based domain is that domain admins group IS automatically added to the local admins group on domain pc's - however this would appear not to be the case on your domain for reasons I could only guess at right now, so I suggested a fairly inexpensive (time-wise) way to remedy the problem. Once a relevant domain account is added to the local admin accounts it stays there until it's removed. Just so it's clear, your situation as graye has already said IS NOT the norm,
    Deb :))

    Author Comment

    Thank you both for your information and Thank you Deb for letting me know how to get around our situation.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now