Domain Admin issues

Hi,

I have a domain which has 1500 machines.all the machines are into the domain.My question is when we add the machine into the domain will it add Domain Admin into the group which is in as administrators.if yes how do we remove those rights from all mac and will there be any problems?

THX
Sharath
LVL 11
bsharathAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sirbountyCommented:
Yes, when you join the domain, Domain Admins is added to local Administrators, Domain Users is added to local Users.
The rest of your question depends heavily on why you'd want to remove that, and what you use your systems for?
If you'll ever need work done on the system by an Admin, they'd need to be able to login locally.  That means you either set the same local Admin password for all 1500 devices, or you remember 1500 passwords...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stronglineCommented:
Domain Admin by default is member of local administrators.
You can remove that either manually or via "restricted group" in group policy, or a script
removing domain admin out of administrators should not be a problem, but of course, domain admins will lose permissions on those boxes. I would like to leave this setting alone, though. Because Domain Admin can do virtually whatever they want in the domain, including add themselves back into the local group. So there is not point to bother removing them.

If you have concerns, rule number one is to grant domain admin only to the people your trust, keep the group as small as possible.
0
bsharathAuthor Commented:
If the domain admin is not there or removed what would be the problems.Will the user has restrictions or problems in doing his work.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

sirbountyCommented:
The 'user' has nothing to do with it, unless their accounts are domain admins (I hope not! :)
The effect would be on any domain admin trying to log on to that device for support...
0
bsharathAuthor Commented:
1. What all can i do if domain Admin is available.
2. What i cannot do if it is not available.
0
sirbountyCommented:
1) Anything a local admin can do since Domain Admin = Administrators
2) You may not be able to log in at all at the local desktop (depends on how your groups are defined)
0
bsharathAuthor Commented:
I need to make this understand to my management that domain admin is required.The management says that why have we given Domain admin rights to end users.How can i explain to them.Please advice.
0
stronglineCommented:
what kind of answer you are looking for? I think the above replies are good enough already.
0
sirbountyCommented:
Alright - if you have domain 'user' JohnSmith.  He can be set to log on to 'his' computer since he's a member of the Domain Users group (which is a member of the local Users group on that computer).

If JimBob is a Domain Admin and he tries to log on to JohnSmith's computer to provide support (whether he walks up to the PC or connects remotely) he will not be able to log onto that device, or at least perform administrative functions if he does not, in some way, authenticate as an Administrator.  He has two options for that:  Log in as the local Administrator account on that computer (or a 'copy' of the local Admin) or log onto the domain using his Domain Admin credentials which (if left at the default) would give him local Administrative rights since Domain Admins is by default in the local Administrators group.

Does that help?
0
bsharathAuthor Commented:
Thanks lot Sirbounty,

If i need to remove this from all the machines by chance how do i perform this on all users in one shot
0
mikeleebrlaCommented:
>>The management says that why have we given Domain admin rights to end users.
what?  can you explain what you mean by this?  your end users should NOT be in the domain admin group.

remember, their are local admins, local users, domain admins and domain users,, all 4 of these groups are completely different.  Their names are pretty self-explainatory as to what each group can/cannot do.

0
bsharathAuthor Commented:
mikeleebrla:
My question is simple if i remove the domain admin from a machine what will happen.Problem that we face
0
bsharathAuthor Commented:

strongline:
What does this mean
Domain Admin can do virtually whatever they want in the domain
0
sirbountyCommented:
Are you saying that your users are Domain Admins?
0
bsharathAuthor Commented:
Sorry i mean to say my computers are added in domain admin
0
sirbountyCommented:
You computer cannot be a 'domain admin'.
Domain Admins is a group in your domain that gives your Admins permissions to do Administrative functions in your domain.

Are you the administrator of your network?
0
bsharathAuthor Commented:
When we add a machine to the domain you said the domain admin gets added to the machine? Am i correct then will it add to the user or machine.

Sirbounty

Yes i am an admin to my network Sorry may be a communication error if misunderstood.
0
emiopsCommented:
Domain Admins by default are considered "Local Administrators" on all computers in the domain.  Because of this they can pretty much do whatever they want throughout the domain.  By taking the "Domain Admins" group out of the "Local Administrators" group on every computer, you can potentially lose the ability to manage the computers on the domain.

"Local Administrators" have the ability to install applications, reset passwords, add-remove computers from the domain, and so on.  If the "Domain Admins" group looses the "Local Administrator" access to the computer, you will have to remember at least 1 "Local Administrator" account on each computer.  Best practices for this is to have a common username and password on each system that is tightly controlled otherwise you are going to have to remember 1500 passwords and usernames if you have 1500 computers in your network.  The problem with doing this is that other "Local Administrators" on the computer have the ability to reset passwords for other "Local Administrators"

By have a "Domain Admin" having "Local Administrators" access to all computers, other "Local Administrators" cannot reset "Domain Passwords" (because they are saved on the domain outside the local computers control) and you can use a common username password on each system.  Added benifit to doing this method is that when a domain admin password becomes comprimised, it can be easily changed by simply going to Active Directory (or whatever your using) and resetting that particular Domain Admin account (best practice is to change your password often before it becomes comprimised.)
0
mikeleebrlaCommented:
>>My question is simple if i remove the domain admin from a machine what will happen.Problem that we face

that means that nobody logged in with an account that is a member of the 'domain admins' group will be able to manage the local computer.  bascially you are taking your ability to manage the PCs away from yourself.  If you do that, then the only way you can do any maintenance on any PC is to log in with the LOCAL admin account.  I would highly recommend not doing this.  It sounds like your 'management' is trying to manage the IT department and they don't know what they are doing. It is your job as a network manager/admin to manage the network, not theirs.
0
bsharathAuthor Commented:
My last dout

Domain Admin is part of the computer or user?

THX
Sharath
0
sirbountyCommented:
Neither.
It's a domain group on your domain
0
bsharathAuthor Commented:
Thanks a lot experts for such fast and good comments that solved my problem
0
stronglineCommented:
examples Domain Admins can do:

1. you can deny Domain Admin access to a file, however, they can easily take it back
2. you can remove domain admin out of local admin, again, then can add themselves back
and more...

because you like them to be domain admins.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.