• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1715
  • Last Modified:

Local Admin vs. Domain Admin

Quick question. I need to explain the advantages of having domain admin rights vs local admin rights on the network. Can someone please give me 5 senarios which you would need domain admin rights instead of just local admin rights.

The problem is we have moving to a new network and the powers that be want to remove our domain controller here and have us swing off a DC in another state. I have over 150 Windows clients and servers on the domain. Right now i push all updates via wsus, push packages via AD, etc,etc... My meeting is at 3 today so I have 40 minutes left to prepare.. Thanks..
0
Bryant
Asked:
Bryant
3 Solutions
 
AustinComputerLabsCommented:
from: http://technet.microsoft.com/en-us/library/cc700835.aspx

Administrative accounts in an Active Directory domain include:

•The Administrator account, which is created when Active Directory is installed on the first domain controller in the domain. This is the most powerful account in the domain. The person who installs Active Directory on the computer creates the password for this account during installation.
 
Any accounts that you later create and either place in a group that has administrative privileges or directly assign administrative privileges.
 
Administrative groups in an Active Directory domain vary depending on the services that you have installed in your domain. Those used specifically for administering Active Directory include:
 
Administrative groups that are automatically created in the Builtin container.

Administrative groups that are automatically created in the Users container.

Any groups that you later create and either place in another group that has administrative privileges or directly assign administrative privileges.


Administrators
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group.
 
Domain Admins
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 


0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I do work for a company where the SITE has no domain admin rights, instead, there are site-specific "Workstation Admins" and "Server Admins" groups - these groups are added to all local machines (as appropriate, server admins to servers, workstation admins to workstations) and then our user accounts are placed in those groups.  The only systems we don't have access to are DCs, though we have been delegated control over our top level OU so that we can create/modify our user accounts and join computers to the domain.  If the "main office" is going to deploy updates, than it's not your job anymore.  We created and use our own logon script by creating a share on a local server and placing the script in the machine's all users startup group - this limits us to running as the user, but that's generally fine as anything that requires admin privilages can be done by us remotly using PSEXEC since we're "workstation admins".

I'm sure this is not what you were looking for, but the biggest disadvantage is in terms of applying settings and deploying software with group policy - but if you know what you're doing and you have local admin access, that shouldn't be an issue as just about everything can be done by script.

OF course, if they won't put you in groups like Server Admins and Workstation Admins, than that's a big problem.
0
 
Justin OwensITIL Problem ManagerCommented:
Like leew, I work in an environment where only two (out of an IT staff of several hundred) actual people have domain admin rights.  Everything else is delegated.  There is not a technical requirement for you to have domain admin rights, and if I was your main office, I would not allow any remote sites to have it.  I would, however, consider a RODC if WAN latency causes slower login times due to moving the DC offsite.  I am sure that isn't what you wanted to hear, but that is still the case.

DrUltima
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
BryantAuthor Commented:
leew and DrUltima....

Lets say you have a subdomain that you control now in a lab environment where you not only deal with regular end users, but programmers, designers etc that know just enough to get impatient and screw up the computer they are working on. (Right now my lab environment network is almost bigger than the rest of the company combined. )Everything authenticates locally now and everything is really fast. After setting up several test boxes that goes the tunnel…everything slows down because of the traffic between the two sites. There is only one admin at this site that is responsible for all of the equipment; both on the Windows side and Linux/Unix side. If a package needs to be pushed it has to be done manually after the cutover instead of just creating a package to push via AD. As of right now I can’t do anything with my domain account except add computers to the domain. I can’t even update java or adobe without using a local account. The meeting today should have solved this problem one way or another but the domain administrator was not on the call to talk about it. Basically I know the security risk of having domain admin rights I am just looking for examples so I can say when you have a local admin you can do this that and the other but local admin accounts cant do this efficiently. Things like that. The ideal scenario that I am pushing for is to keep everything like I have it now and keep my domain controller locally which I have control over my subdomain. I don’t need to create users on the domain as a whole or touch any part of the domain except the labs.

thanks for you help...
0
 
FireW0lfCommented:
You say it is a child domain... I would set only a couple of GPOs on the root domain - things like password policies, etc

Everything else you would set against the child domain, then it's the servers who are talking to each other, and the child domain members only talk to the child domain DCs

As for DA/LocalA, again, you have a forest so I would assume you are an Enterprise Admin. You have several options really, have Domain Admins of only the child domain, or create a group of "Half Admins" - where they are Domain User accounts but have been delegated to have certain other permissions too. It all depends on how granular you want control to be, and how much you trust the other IT staff in your Corp really
0
 
Justin OwensITIL Problem ManagerCommented:
bw5011,

If you would let us know the items you want to accomplish, we could better let you know whether you needed DA rights.  Everyone is different, and I will be frank when I say that most technicians dislike getting their permissions reduced.  We will help you construct a business need, if one exists, to be certain.  Thus far, I have not seen anything in this Question which mandates it.

DrUltima
0
 
BryantAuthor Commented:
thanks for everyones help. I was able to use a combination of everyones suggestions whether it was a pro or con to obtain the outcome that I wanted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now