Solved

Domain Admin issues

Posted on 2007-03-29
23
304 Views
Last Modified: 2010-03-05
Hi,

I have a domain which has 1500 machines.all the machines are into the domain.My question is when we add the machine into the domain will it add Domain Admin into the group which is in as administrators.if yes how do we remove those rights from all mac and will there be any problems?

THX
Sharath
0
Comment
Question by:bsharath
  • 10
  • 7
  • 3
  • +2
23 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
ID: 18816544
Yes, when you join the domain, Domain Admins is added to local Administrators, Domain Users is added to local Users.
The rest of your question depends heavily on why you'd want to remove that, and what you use your systems for?
If you'll ever need work done on the system by an Admin, they'd need to be able to login locally.  That means you either set the same local Admin password for all 1500 devices, or you remember 1500 passwords...
0
 
LVL 13

Expert Comment

by:strongline
ID: 18816575
Domain Admin by default is member of local administrators.
You can remove that either manually or via "restricted group" in group policy, or a script
removing domain admin out of administrators should not be a problem, but of course, domain admins will lose permissions on those boxes. I would like to leave this setting alone, though. Because Domain Admin can do virtually whatever they want in the domain, including add themselves back into the local group. So there is not point to bother removing them.

If you have concerns, rule number one is to grant domain admin only to the people your trust, keep the group as small as possible.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18816577
If the domain admin is not there or removed what would be the problems.Will the user has restrictions or problems in doing his work.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18816585
The 'user' has nothing to do with it, unless their accounts are domain admins (I hope not! :)
The effect would be on any domain admin trying to log on to that device for support...
0
 
LVL 11

Author Comment

by:bsharath
ID: 18816590
1. What all can i do if domain Admin is available.
2. What i cannot do if it is not available.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18816604
1) Anything a local admin can do since Domain Admin = Administrators
2) You may not be able to log in at all at the local desktop (depends on how your groups are defined)
0
 
LVL 11

Author Comment

by:bsharath
ID: 18816610
I need to make this understand to my management that domain admin is required.The management says that why have we given Domain admin rights to end users.How can i explain to them.Please advice.
0
 
LVL 13

Expert Comment

by:strongline
ID: 18816655
what kind of answer you are looking for? I think the above replies are good enough already.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18816659
Alright - if you have domain 'user' JohnSmith.  He can be set to log on to 'his' computer since he's a member of the Domain Users group (which is a member of the local Users group on that computer).

If JimBob is a Domain Admin and he tries to log on to JohnSmith's computer to provide support (whether he walks up to the PC or connects remotely) he will not be able to log onto that device, or at least perform administrative functions if he does not, in some way, authenticate as an Administrator.  He has two options for that:  Log in as the local Administrator account on that computer (or a 'copy' of the local Admin) or log onto the domain using his Domain Admin credentials which (if left at the default) would give him local Administrative rights since Domain Admins is by default in the local Administrators group.

Does that help?
0
 
LVL 11

Author Comment

by:bsharath
ID: 18816702
Thanks lot Sirbounty,

If i need to remove this from all the machines by chance how do i perform this on all users in one shot
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 18816752
>>The management says that why have we given Domain admin rights to end users.
what?  can you explain what you mean by this?  your end users should NOT be in the domain admin group.

remember, their are local admins, local users, domain admins and domain users,, all 4 of these groups are completely different.  Their names are pretty self-explainatory as to what each group can/cannot do.

0
 
LVL 11

Author Comment

by:bsharath
ID: 18817054
mikeleebrla:
My question is simple if i remove the domain admin from a machine what will happen.Problem that we face
0
 
LVL 11

Author Comment

by:bsharath
ID: 18817102

strongline:
What does this mean
Domain Admin can do virtually whatever they want in the domain
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18817104
Are you saying that your users are Domain Admins?
0
 
LVL 11

Author Comment

by:bsharath
ID: 18817134
Sorry i mean to say my computers are added in domain admin
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18817204
You computer cannot be a 'domain admin'.
Domain Admins is a group in your domain that gives your Admins permissions to do Administrative functions in your domain.

Are you the administrator of your network?
0
 
LVL 11

Author Comment

by:bsharath
ID: 18817252
When we add a machine to the domain you said the domain admin gets added to the machine? Am i correct then will it add to the user or machine.

Sirbounty

Yes i am an admin to my network Sorry may be a communication error if misunderstood.
0
 
LVL 2

Assisted Solution

by:emiops
emiops earned 150 total points
ID: 18817262
Domain Admins by default are considered "Local Administrators" on all computers in the domain.  Because of this they can pretty much do whatever they want throughout the domain.  By taking the "Domain Admins" group out of the "Local Administrators" group on every computer, you can potentially lose the ability to manage the computers on the domain.

"Local Administrators" have the ability to install applications, reset passwords, add-remove computers from the domain, and so on.  If the "Domain Admins" group looses the "Local Administrator" access to the computer, you will have to remember at least 1 "Local Administrator" account on each computer.  Best practices for this is to have a common username and password on each system that is tightly controlled otherwise you are going to have to remember 1500 passwords and usernames if you have 1500 computers in your network.  The problem with doing this is that other "Local Administrators" on the computer have the ability to reset passwords for other "Local Administrators"

By have a "Domain Admin" having "Local Administrators" access to all computers, other "Local Administrators" cannot reset "Domain Passwords" (because they are saved on the domain outside the local computers control) and you can use a common username password on each system.  Added benifit to doing this method is that when a domain admin password becomes comprimised, it can be easily changed by simply going to Active Directory (or whatever your using) and resetting that particular Domain Admin account (best practice is to change your password often before it becomes comprimised.)
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 100 total points
ID: 18817292
>>My question is simple if i remove the domain admin from a machine what will happen.Problem that we face

that means that nobody logged in with an account that is a member of the 'domain admins' group will be able to manage the local computer.  bascially you are taking your ability to manage the PCs away from yourself.  If you do that, then the only way you can do any maintenance on any PC is to log in with the LOCAL admin account.  I would highly recommend not doing this.  It sounds like your 'management' is trying to manage the IT department and they don't know what they are doing. It is your job as a network manager/admin to manage the network, not theirs.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18817619
My last dout

Domain Admin is part of the computer or user?

THX
Sharath
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18817632
Neither.
It's a domain group on your domain
0
 
LVL 11

Author Comment

by:bsharath
ID: 18817730
Thanks a lot experts for such fast and good comments that solved my problem
0
 
LVL 13

Expert Comment

by:strongline
ID: 18817763
examples Domain Admins can do:

1. you can deny Domain Admin access to a file, however, they can easily take it back
2. you can remove domain admin out of local admin, again, then can add themselves back
and more...

because you like them to be domain admins.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now