• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 818
  • Last Modified:

Assign domain admin rights and privileges to domain local group

I have a "Domain Local Group" that must have the same rights and privileges to every object in our windows 2008 domain that the "Domain Admins" global group has by "default".

I cannot simply "add" the Domain Local Group to the "Domain Admins" global group because Active Directory does not allow that to happen.

Therefore, I need to get a list of every right and priveledge that the "Domain Admins" global group has by default and "custom add" all those rights and priveledges to my "Domain Local Group".

Does anyone have a script that adds all the rights and priveledges that "Domain Admins" global group has by default to a domain local group?

Or can anyone suggest a solution for doing this?

Please do not suggest a work around, I need to actually make a particular "Domain Local Group" have all the same rights and priveledges that the "Domain Admins" group has by default.

I have a single active directory domain controller. I need to accomplish this before adding anything else to my environment. Right now, everything is freshly set-up in default form.
  • 2
1 Solution
I don't understand the requirement.  That is what the DOMAIN ADMINS group is for.  Why create another group with the same rights?
Krzysztof PytkoActive Directory EngineerCommented:
Please download GUI tool named LIZA (it's free and easy in use)

To run LIZA you need to have installed .NET 2.0 (and it doesn't need to be on a DC)
Then you can simply get information about Domain Admins assignment

and you can follow this article to see how it works

or you can use dsacls command but it is not so easy.

If you wish, you may also visit my blog and see articles about delegating rights

ACECORPAuthor Commented:

Thanks for your efforts.

Apparently, even with the tools you mentioned this seems impossible. Those tools do not show that there are hidden/non-viewable Microsoft Only ACL's in addition to various Schema Classes that the Domain Admins global group is hardcoded into. I found that out and then spent a considerable amount of time discussing the technical aspects of this with a Microsoft Active Directory OS Developer from Redmond. The result of the discussion is that he said  

"while it is possible to create a similar group that behaves like Domain Admins group if you spend a significant amount of time and effort manually granting access to all of the components and items we discussed, it will not be the 100% same because it will still not have access to the hidden/non-viewable Microsoft Only ACL's as well as the Schema Classes that the Domain Admins global group is hardcoded into. What you are looking to do, we cannot achieve that without re-writing the Windows Operating System. I am sorry."

I will give you the 500 points for your efforts. Apparently what I need to acchieve is "not possible without re-writing the Windows Operating System", so I will have to suffer without meeting my objective.
Krzysztof PytkoActive Directory EngineerCommented:
Hm, really interesting thing :) Thank you for sharing this information, it is really useful


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now