Permissions: Removing users from Domain Admins group

Posted on 2009-04-28
Medium Priority
Last Modified: 2012-05-06
The previous IT guy who left our company thought it was best and easiest to make all users Domain Admins.
I removed a couple of users from the list last night for testing and this morning they couldn't log into Vista bescause it was complaing that permissions were set and things couldn't run and install, how would I go about removing them with no problems.
Question by:Techno-Man-uk
LVL 19

Expert Comment

ID: 24248650
Are they logging on locally?

Do they need to be local administrators on their workstations?  

Author Comment

ID: 24248660
no they are logging on to a domain and they dont need to be administrators except a couple of users
LVL 85

Assisted Solution

oBdA earned 450 total points
ID: 24248682
For the time being, to remove them from Domain Admins at least, create a domain local group "WorkstationAdmin" or whatever.
Use a "Restricted Groups" policy (add "WorkstationAdmin" as restricted group and choose "This group is a member of: Administrators"; do NOT add "Administraors" as restricted group; the former is additive, the latter would remove any local admin accounts other than the ones you specify in the policy) applied to your workstations (start with a test workstation ...).
Add the group "Domain Users" to the group "Workstation Admins".
Then you'll need to take a regular workstation and adjust the logon scripts and permissions so that a regular user can use the machine. At that point, remove the Domain Users from the WorkstationAdmin group.

Assisted Solution

smacky81 earned 450 total points
ID: 24248924
What you can do, is remove them all from Domain Admins and make sure they are all members of Domain Users.

If you wish to give them Local Admin rights (ie: on their computer) then on the computer right click computer > manage > local users and groups > Administrators > Add Domain Users

Not sure if that is how you access on Vista, though it is correct for XP, effectively get into Manage Computer, and add Domain Users to Administrators group on the local computer and this will apply sufficient rights to use the computer, without giving everyone full access to files on the network.
LVL 18

Accepted Solution

Americom earned 600 total points
ID: 24250689
It seems like the users you removed from the Domain Admins group needs local administrators right to run application in their Vista machines. By default, the Domain Admins group is a member of the Local Administrators group for all machines joined to the domain. By removing the user account out of this Domain Admins group you removed the local Admin right to their Vista machine. If you are familiar with GPO, the method oBdA suggest is the way to go and but you must test it and get familiar with it to use it successfully.
The other things to do is what you are trying is the right thing to do, that is remove all users who does not need to be in the Domain Admins group. It is just too crazy to add all users in this group.

For those two user that you removed and running into problem, for now, just add the domain user account to their Vista's local Administrators group and they should be fine. But in the long run, if these are just end users, they may not need Admin rights as they shouldn't be the one to be able to install whatever they want on a domain computer. So, if all users already in the Domain Admins group, many users could have getting use to the admin right and once you remove them off the Domain Admins group, they may experience problem...a lot of clean up.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question