Active Directory & Domain Administrators

We have recently switched to Sever 2000 using Active directory and I now find myeself in a debate with one of our other network administrators.
Currently even though we are set up as Domain Administrators if we want to see or change any security settings (network address, security event logs, etc) on a computer within that domain we have to log on to that local machine as a local administator to give our domain id access as a local administrator.
To me this seems that we did something wrong when we first set things up, that as a network administrator we should automatically have full access to each machine that we log into so that changes can be made without having to jump through hoops first. However my co-worker thinks that it is perfectly normal and is all part of Active Directory. I have been wrong before so I am curious if I am again.

Any thoughts?


questionerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grayeCommented:
No, this is not normal...  you can safely ignore your co-worker

The Domain Admins group is automatically added to the PC's local Administrators group when the PC joins the domain.  Therefore, you should be able to walk up to any PC in the domain and login using your domain account (the account that's a member of the Domain Admins group) and have full administrators privilegdes.

I can forsee a situation where if you had a subordinate domains (in a multiple domain forest) that membership in one Domain Admins group wouldn't give you any privilegdes at all on the other domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Debsyl99Commented:
Hi
This is true ie what graye has said - you may be interested in a way to correct this though? Just in case - you can assign scripts via startup scripts in group policy - they won't work via login script unoless a user is a local admin,

http://experts-exchange.com/Operating_Systems/Win2000/Q_21176363.html
Net localgroup
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx

http://experts-exchange.com/Operating_Systems/Win2000/Q_21168772.html
Deb :))
0
questionerAuthor Commented:
Glad  to know that I am not completely off base.

Thanks for the scripts to correct the problem, Deb, but it does confuse me. Are you saying that the scripts are something that would be required on all computers in any domain using 2000 or that they are a hack (for want of a better word) around a problem that we somehow created by doing something wrong at setup?

I am guessing the latter since you are also agreeing with graye in that by being a domain administrator I should automatically have full access on all machine within the domain.

Thanks
0
Debsyl99Commented:
Hi
Yes that's correct - The scripts are a suggested way around your specific problem - and yes the default on any regular 2000 server based domain is that domain admins group IS automatically added to the local admins group on domain pc's - however this would appear not to be the case on your domain for reasons I could only guess at right now, so I suggested a fairly inexpensive (time-wise) way to remedy the problem. Once a relevant domain account is added to the local admin accounts it stays there until it's removed. Just so it's clear, your situation as graye has already said IS NOT the norm,
Deb :))
0
questionerAuthor Commented:
Thank you both for your information and Thank you Deb for letting me know how to get around our situation.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.