Local Admin vs. Domain Admin
Quick question. I need to explain the advantages of having domain admin rights vs local admin rights on the network. Can someone please give me 5 senarios which you would need domain admin rights instead of just local admin rights.
The problem is we have moving to a new network and the powers that be want to remove our domain controller here and have us swing off a DC in another state. I have over 150 Windows clients and servers on the domain. Right now i push all updates via wsus, push packages via AD, etc,etc... My meeting is at 3 today so I have 40 minutes left to prepare.. Thanks..
The problem is we have moving to a new network and the powers that be want to remove our domain controller here and have us swing off a DC in another state. I have over 150 Windows clients and servers on the domain. Right now i push all updates via wsus, push packages via AD, etc,etc... My meeting is at 3 today so I have 40 minutes left to prepare.. Thanks..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
leew and DrUltima....
Lets say you have a subdomain that you control now in a lab environment where you not only deal with regular end users, but programmers, designers etc that know just enough to get impatient and screw up the computer they are working on. (Right now my lab environment network is almost bigger than the rest of the company combined. )Everything authenticates locally now and everything is really fast. After setting up several test boxes that goes the tunnel…everything slows down because of the traffic between the two sites. There is only one admin at this site that is responsible for all of the equipment; both on the Windows side and Linux/Unix side. If a package needs to be pushed it has to be done manually after the cutover instead of just creating a package to push via AD. As of right now I can’t do anything with my domain account except add computers to the domain. I can’t even update java or adobe without using a local account. The meeting today should have solved this problem one way or another but the domain administrator was not on the call to talk about it. Basically I know the security risk of having domain admin rights I am just looking for examples so I can say when you have a local admin you can do this that and the other but local admin accounts cant do this efficiently. Things like that. The ideal scenario that I am pushing for is to keep everything like I have it now and keep my domain controller locally which I have control over my subdomain. I don’t need to create users on the domain as a whole or touch any part of the domain except the labs.
thanks for you help...
Lets say you have a subdomain that you control now in a lab environment where you not only deal with regular end users, but programmers, designers etc that know just enough to get impatient and screw up the computer they are working on. (Right now my lab environment network is almost bigger than the rest of the company combined. )Everything authenticates locally now and everything is really fast. After setting up several test boxes that goes the tunnel…everything slows down because of the traffic between the two sites. There is only one admin at this site that is responsible for all of the equipment; both on the Windows side and Linux/Unix side. If a package needs to be pushed it has to be done manually after the cutover instead of just creating a package to push via AD. As of right now I can’t do anything with my domain account except add computers to the domain. I can’t even update java or adobe without using a local account. The meeting today should have solved this problem one way or another but the domain administrator was not on the call to talk about it. Basically I know the security risk of having domain admin rights I am just looking for examples so I can say when you have a local admin you can do this that and the other but local admin accounts cant do this efficiently. Things like that. The ideal scenario that I am pushing for is to keep everything like I have it now and keep my domain controller locally which I have control over my subdomain. I don’t need to create users on the domain as a whole or touch any part of the domain except the labs.
thanks for you help...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bw5011,
If you would let us know the items you want to accomplish, we could better let you know whether you needed DA rights. Everyone is different, and I will be frank when I say that most technicians dislike getting their permissions reduced. We will help you construct a business need, if one exists, to be certain. Thus far, I have not seen anything in this Question which mandates it.
DrUltima
If you would let us know the items you want to accomplish, we could better let you know whether you needed DA rights. Everyone is different, and I will be frank when I say that most technicians dislike getting their permissions reduced. We will help you construct a business need, if one exists, to be certain. Thus far, I have not seen anything in this Question which mandates it.
DrUltima
ASKER
thanks for everyones help. I was able to use a combination of everyones suggestions whether it was a pro or con to obtain the outcome that I wanted.
Administrative accounts in an Active Directory domain include:
•The Administrator account, which is created when Active Directory is installed on the first domain controller in the domain. This is the most powerful account in the domain. The person who installs Active Directory on the computer creates the password for this account during installation.
Any accounts that you later create and either place in a group that has administrative privileges or directly assign administrative privileges.
Administrative groups in an Active Directory domain vary depending on the services that you have installed in your domain. Those used specifically for administering Active Directory include:
Administrative groups that are automatically created in the Builtin container.
Administrative groups that are automatically created in the Users container.
Any groups that you later create and either place in another group that has administrative privileges or directly assign administrative privileges.
Administrators
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group.
Domain Admins
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.