Active Directory & Domain Administrators

Posted on 2004-11-26
Medium Priority
Last Modified: 2010-04-14
We have recently switched to Sever 2000 using Active directory and I now find myeself in a debate with one of our other network administrators.
Currently even though we are set up as Domain Administrators if we want to see or change any security settings (network address, security event logs, etc) on a computer within that domain we have to log on to that local machine as a local administator to give our domain id access as a local administrator.
To me this seems that we did something wrong when we first set things up, that as a network administrator we should automatically have full access to each machine that we log into so that changes can be made without having to jump through hoops first. However my co-worker thinks that it is perfectly normal and is all part of Active Directory. I have been wrong before so I am curious if I am again.

Any thoughts?

Question by:questioner
  • 2
  • 2
LVL 41

Accepted Solution

graye earned 400 total points
ID: 12682844
No, this is not normal...  you can safely ignore your co-worker

The Domain Admins group is automatically added to the PC's local Administrators group when the PC joins the domain.  Therefore, you should be able to walk up to any PC in the domain and login using your domain account (the account that's a member of the Domain Admins group) and have full administrators privilegdes.

I can forsee a situation where if you had a subordinate domains (in a multiple domain forest) that membership in one Domain Admins group wouldn't give you any privilegdes at all on the other domain.
LVL 20

Assisted Solution

Debsyl99 earned 400 total points
ID: 12683349
This is true ie what graye has said - you may be interested in a way to correct this though? Just in case - you can assign scripts via startup scripts in group policy - they won't work via login script unoless a user is a local admin,

Net localgroup

Deb :))

Author Comment

ID: 12684018
Glad  to know that I am not completely off base.

Thanks for the scripts to correct the problem, Deb, but it does confuse me. Are you saying that the scripts are something that would be required on all computers in any domain using 2000 or that they are a hack (for want of a better word) around a problem that we somehow created by doing something wrong at setup?

I am guessing the latter since you are also agreeing with graye in that by being a domain administrator I should automatically have full access on all machine within the domain.

LVL 20

Expert Comment

ID: 12684139
Yes that's correct - The scripts are a suggested way around your specific problem - and yes the default on any regular 2000 server based domain is that domain admins group IS automatically added to the local admins group on domain pc's - however this would appear not to be the case on your domain for reasons I could only guess at right now, so I suggested a fairly inexpensive (time-wise) way to remedy the problem. Once a relevant domain account is added to the local admin accounts it stays there until it's removed. Just so it's clear, your situation as graye has already said IS NOT the norm,
Deb :))

Author Comment

ID: 12684158
Thank you both for your information and Thank you Deb for letting me know how to get around our situation.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Social messanging services like WhatsApp and Facebook can help businesses in ways that many owners don't even imagine, giving new opportunities to connect with customers. Discover some of the most innovative things they can do for your company.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Integration Management Part 2
Suggested Courses
Course of the Month14 days, 19 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question