We help IT Professionals succeed at work.

SBS 2008 Add Domain Admin to Local Admin Group via GPO

Hello,

I am currently in the process of setting up a new SBS 2008 SP2 server and have had a look at the security on there. So I have a couple of questions.

1. From what I gather ALL domain admins are added to the local admin group on connected workstations is that right?

2. If I didn't want to give all domain admins that right I understand that this can be accomplished via GPO and I have come across a couple of methods which I will outline below.

Method a) This can be accomplished through the restricted groups on GPO and if so how can I set this up so that I can only add specific domains admins to the local admin group?

Method b) The second method I have found is through the User configuration | Preferences | Control Panel settings |  Local users and groups. Having tried this I can remove the current logged in user and assign certain people to the local admin group.

My question is which method is better and could I get some instructions on the restricted groups via GPO. There is a lot of out there about this method but not specifically for SBS 2008.

Thanks
Sam
Comment
Watch Question

Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
HI,

Domain admin group is a restricted group by default.

You no need to add that to Local Admin it will add automaticallly if the workstation is membert of domain

Cheers,
Prem

Author

Commented:
Hello,

Yes but if I do make a user a domain admin I want to restrict who then is allowed to be a local admin.

I.would rather remove the domain admin group from being a local admin.
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
HI,
For Method A:
Do you want to add the users manually to domain admin group for how many users you can add this

My Suggestion: Domain Admin is the highest privilage which high level admin should have an Unrestricted access.

Why you want to restict that?

For Method B:
This method is used to disable the account in Local system
I dont think this could work to add users.

Pls let me know is there any reason for you to remove the domain admin for local admin group?

Cheers,
Prem

Author

Commented:
Hello,

Simply because a select few should have access to local admin but not all domain admin. Also method b does work to remove the current logged in user from the local admin and to remove/add new users.

Sam
Distinguished Expert 2018
Commented:
I am confused as to why you want to do this. Domain admins, by definition are administrering the domain and thus should be able to administer any machine that has been joined to the domain.

If you need a user to be able to do certain tasks on the domain controller, but want to prevent them from doing tasks onthe workstation then don't make them domain admins.  Create a separate security group, add that security group to the appropriate security policies to grant permissions you need, and understand the consequences.  This is a *very*  strange configuration and I'm not at all sure I understand the purpose.

Perhaps if we understood what you are trying to accomplish (give us an example use scenario with a user that needs these restrictions) we can help provide you with a better way.
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.