How to grant specific permissions to domain user accounts without adding them to Domain Admins group
OK, I am sure this has been addressed before, but I am in a hurry and cannot find anything on it.
Can anyone direct me to links or explain how I can give domain user accounts the necessary rights to add/remove computer objects from the domain and other rights that they may need to perform MS updates and install applications, like Flash Player, Adobe Reader, etc. without them being part of the Domain Admins group? Which is what they are right now. Or is it just too much hassle to manage and just leave them as Domain Admins?
Add the user to the domain-level Administrators group. This will allow the user to apply patches, updates, apps, etc., but not give any rights within AD.
By default Windows is set to allow anyone to add up to 10 computers to the domain. To be able to install applications on the local PC you could add them to the local admin group on the PC's. This will give them full admin rights on the PC without giving them domain rights to the servers. It depends on the amount of security you wish to maintain over the local PC's.
The built-in administrators group will give them rights in AD and that group replicates. The difference is that domain admins are in the local admin group of every machine by default.
You can also delegate rights in AD or use other builtin groups like account operators.
What you are doing and trying to reduce domain admins is a good thing
Thanks
Mike
0
There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
dave_it,
I am not sure I follow you. Isn't the domain level administrators group the same thing as the Domain Admin group? I mean especially if the domain administrator group is a member of the Domain Admins group, which it is.
I have setup a policy to add them to the local admin group on the PC's, so that is good to go. However, I am concerned about them running into issues with trying to add computers to the domain and removing them when needed.
I am trying to do this in a way that doesn't interfere with their normal everyday tasks.
In our organization we have created a group called "special admins" that we add to the local administrators group through GPO. Individuals placed in that group have full admin rights to any system they log onto without giving them domain admin rights. We use this mainly for laptops.
No, Domain Admins and the built-in Administrators group are separate groups. We use this group to grant select individuals the ability to patch Domain Controllers. However, after reading Mike's comment I realized that this group will most likely not provide the solution to your original question.
As mentioned above, a better solution would be to create a new AD group, script it or use a GPO to drop it into the local Administrators group on PC's and servers, and then delegate the AD rights needed.
0
rsnellmanIT ManagerAuthor Commented:
OK, that all makes sense, but I guess I am trying to figure out what AD rights are needed to delegate for these special admin groups so they can add to/remove from computers from the domain.
Any ideas or links to assist will be greatly appreciated.
You need to do that at the OU you want them to be able to add the computer too. Look through the options in case I missed any.
0
rsnellmanIT ManagerAuthor Commented:
Wait, what about computers already added to the domain. Would I need to do the root of the domain to delegate rights to be able to remove the computers (computer objects) from the domain? Or would have to do that to each and every OU for this special admin group?