questioner
asked on
Active Directory & Domain Administrators
We have recently switched to Sever 2000 using Active directory and I now find myeself in a debate with one of our other network administrators.
Currently even though we are set up as Domain Administrators if we want to see or change any security settings (network address, security event logs, etc) on a computer within that domain we have to log on to that local machine as a local administator to give our domain id access as a local administrator.
To me this seems that we did something wrong when we first set things up, that as a network administrator we should automatically have full access to each machine that we log into so that changes can be made without having to jump through hoops first. However my co-worker thinks that it is perfectly normal and is all part of Active Directory. I have been wrong before so I am curious if I am again.
Any thoughts?
Currently even though we are set up as Domain Administrators if we want to see or change any security settings (network address, security event logs, etc) on a computer within that domain we have to log on to that local machine as a local administator to give our domain id access as a local administrator.
To me this seems that we did something wrong when we first set things up, that as a network administrator we should automatically have full access to each machine that we log into so that changes can be made without having to jump through hoops first. However my co-worker thinks that it is perfectly normal and is all part of Active Directory. I have been wrong before so I am curious if I am again.
Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi
Yes that's correct - The scripts are a suggested way around your specific problem - and yes the default on any regular 2000 server based domain is that domain admins group IS automatically added to the local admins group on domain pc's - however this would appear not to be the case on your domain for reasons I could only guess at right now, so I suggested a fairly inexpensive (time-wise) way to remedy the problem. Once a relevant domain account is added to the local admin accounts it stays there until it's removed. Just so it's clear, your situation as graye has already said IS NOT the norm,
Deb :))
Yes that's correct - The scripts are a suggested way around your specific problem - and yes the default on any regular 2000 server based domain is that domain admins group IS automatically added to the local admins group on domain pc's - however this would appear not to be the case on your domain for reasons I could only guess at right now, so I suggested a fairly inexpensive (time-wise) way to remedy the problem. Once a relevant domain account is added to the local admin accounts it stays there until it's removed. Just so it's clear, your situation as graye has already said IS NOT the norm,
Deb :))
ASKER
Thank you both for your information and Thank you Deb for letting me know how to get around our situation.
ASKER
Thanks for the scripts to correct the problem, Deb, but it does confuse me. Are you saying that the scripts are something that would be required on all computers in any domain using 2000 or that they are a hack (for want of a better word) around a problem that we somehow created by doing something wrong at setup?
I am guessing the latter since you are also agreeing with graye in that by being a domain administrator I should automatically have full access on all machine within the domain.
Thanks