bsharath
asked on
Domain Admin issues
Hi,
I have a domain which has 1500 machines.all the machines are into the domain.My question is when we add the machine into the domain will it add Domain Admin into the group which is in as administrators.if yes how do we remove those rights from all mac and will there be any problems?
THX
Sharath
I have a domain which has 1500 machines.all the machines are into the domain.My question is when we add the machine into the domain will it add Domain Admin into the group which is in as administrators.if yes how do we remove those rights from all mac and will there be any problems?
THX
Sharath
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If the domain admin is not there or removed what would be the problems.Will the user has restrictions or problems in doing his work.
The 'user' has nothing to do with it, unless their accounts are domain admins (I hope not! :)
The effect would be on any domain admin trying to log on to that device for support...
The effect would be on any domain admin trying to log on to that device for support...
ASKER
1. What all can i do if domain Admin is available.
2. What i cannot do if it is not available.
2. What i cannot do if it is not available.
1) Anything a local admin can do since Domain Admin = Administrators
2) You may not be able to log in at all at the local desktop (depends on how your groups are defined)
2) You may not be able to log in at all at the local desktop (depends on how your groups are defined)
ASKER
I need to make this understand to my management that domain admin is required.The management says that why have we given Domain admin rights to end users.How can i explain to them.Please advice.
what kind of answer you are looking for? I think the above replies are good enough already.
Alright - if you have domain 'user' JohnSmith. He can be set to log on to 'his' computer since he's a member of the Domain Users group (which is a member of the local Users group on that computer).
If JimBob is a Domain Admin and he tries to log on to JohnSmith's computer to provide support (whether he walks up to the PC or connects remotely) he will not be able to log onto that device, or at least perform administrative functions if he does not, in some way, authenticate as an Administrator. He has two options for that: Log in as the local Administrator account on that computer (or a 'copy' of the local Admin) or log onto the domain using his Domain Admin credentials which (if left at the default) would give him local Administrative rights since Domain Admins is by default in the local Administrators group.
Does that help?
If JimBob is a Domain Admin and he tries to log on to JohnSmith's computer to provide support (whether he walks up to the PC or connects remotely) he will not be able to log onto that device, or at least perform administrative functions if he does not, in some way, authenticate as an Administrator. He has two options for that: Log in as the local Administrator account on that computer (or a 'copy' of the local Admin) or log onto the domain using his Domain Admin credentials which (if left at the default) would give him local Administrative rights since Domain Admins is by default in the local Administrators group.
Does that help?
ASKER
Thanks lot Sirbounty,
If i need to remove this from all the machines by chance how do i perform this on all users in one shot
If i need to remove this from all the machines by chance how do i perform this on all users in one shot
>>The management says that why have we given Domain admin rights to end users.
what? can you explain what you mean by this? your end users should NOT be in the domain admin group.
remember, their are local admins, local users, domain admins and domain users,, all 4 of these groups are completely different. Their names are pretty self-explainatory as to what each group can/cannot do.
what? can you explain what you mean by this? your end users should NOT be in the domain admin group.
remember, their are local admins, local users, domain admins and domain users,, all 4 of these groups are completely different. Their names are pretty self-explainatory as to what each group can/cannot do.
ASKER
mikeleebrla:
My question is simple if i remove the domain admin from a machine what will happen.Problem that we face
My question is simple if i remove the domain admin from a machine what will happen.Problem that we face
ASKER
strongline:
What does this mean
Domain Admin can do virtually whatever they want in the domain
Are you saying that your users are Domain Admins?
ASKER
Sorry i mean to say my computers are added in domain admin
You computer cannot be a 'domain admin'.
Domain Admins is a group in your domain that gives your Admins permissions to do Administrative functions in your domain.
Are you the administrator of your network?
Domain Admins is a group in your domain that gives your Admins permissions to do Administrative functions in your domain.
Are you the administrator of your network?
ASKER
When we add a machine to the domain you said the domain admin gets added to the machine? Am i correct then will it add to the user or machine.
Sirbounty
Yes i am an admin to my network Sorry may be a communication error if misunderstood.
Sirbounty
Yes i am an admin to my network Sorry may be a communication error if misunderstood.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My last dout
Domain Admin is part of the computer or user?
THX
Sharath
Domain Admin is part of the computer or user?
THX
Sharath
Neither.
It's a domain group on your domain
It's a domain group on your domain
ASKER
Thanks a lot experts for such fast and good comments that solved my problem
examples Domain Admins can do:
1. you can deny Domain Admin access to a file, however, they can easily take it back
2. you can remove domain admin out of local admin, again, then can add themselves back
and more...
because you like them to be domain admins.
1. you can deny Domain Admin access to a file, however, they can easily take it back
2. you can remove domain admin out of local admin, again, then can add themselves back
and more...
because you like them to be domain admins.
You can remove that either manually or via "restricted group" in group policy, or a script
removing domain admin out of administrators should not be a problem, but of course, domain admins will lose permissions on those boxes. I would like to leave this setting alone, though. Because Domain Admin can do virtually whatever they want in the domain, including add themselves back into the local group. So there is not point to bother removing them.
If you have concerns, rule number one is to grant domain admin only to the people your trust, keep the group as small as possible.