DOMAIN ADMIN MEMBER OF...

Hello experts, I have the project of cleaning up security for our domain and I ran into this....   I notice the DOMAIN ADMIN is a member of other groups; so does that mean that users in those group are also domain admins?  If yes, this is definately an issue, I beleive only the administrators group should be present here.   correct?

Domain admin Group member of list...
epicazoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
No it dosen't
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Administrators in Active Directory are always Domain admins because domain controllers dont know 'local admins'
This has nothing to do with the 'local' Administrators you see on laptops/workstations, they are not the same administrators.
0
Thomas GrassiSystems AdministratorCommented:
No, only users that are member of domain admins will have admin rights.

Domain admins group is added to that so the members of the domain admins will have access to those rights.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Brian PiercePhotographerCommented:
If a domain admin is a member of another group, it does not give domain admin rights to the group or any users in it.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
To be more clear, you show the tab "member off" which means, the group DOMAIN admins are members for this group.

If you now click on MEMBERS button, there should be only administrators.
0
Life1430Sr EngineerCommented:
If Administrator is member of these groups it makes no difference to any of group...
However it does not look good and you may remove the "Account operator " & "GRP exit writer" group of here
0
piattndCommented:
Rights flow downward only.  Easiest way to look at it:

-Members tab shows everyone who gets permissions this group has
-Member of shows every group that passes permissions to this object (be it group or user)
0
Mike KlineCommented:
and to add by default domain admins are in the Administrators group and Denied RODC  Password replication groups.  The RODC group means their passwords don't get cached on RODCs.

Thanks

Mike
0
Nick RhodeIT DirectorCommented:
Agreed with piattnd :)

If your worried about your most privelaged groups, just open up the properties and look at members.  This way you can see who or what groups have those permissions.  If you have some suspicious users your trying to peg out, check the member of tab under the user's properties.
0
epicazoAuthor Commented:
Forgive my ignorance.

So does this mean that users jdoe1,jdoe2, and jdoe3  do not have administrator rights?  Keep in mind although they are not members of DOMAIN ADMIN or ADMINISTRATORS, they are members of GrpExitWriter which is a member of DOMAIN ADMIN.

I just need to make an educated decision -- I guess I am still gonna remove GrpExitWriter from this domain admin group -- not sure why it's even there.
0
Thomas GrassiSystems AdministratorCommented:
If GRpExitWriter is a member of Domain Admins then any member of GrpExitWriter has Domain admins rights.

That is an easy way to put members in a group then entering all them individually.
0
epicazoAuthor Commented:
Exactly what I thought.   Thanks!
0
Patrick BogersDatacenter platform engineer LindowsCommented:
This is definately the WRONG answer.
0
Mike KlineCommented:
Look at the screenshot, the screenshot shows that domain admins is a memberof the GRP group

the answer has it backwards.

Thanks

Mike
0
Life1430Sr EngineerCommented:
jdoe1,jdoe2, and jdoe3  will NOT have admin rigthts as GRpExitWriter in NOT Member of Administrator Group BUT Administrator is member of  GRpExitWriter   group.....

Your understanding is equally opposite of what facts are...
0
Patrick BogersDatacenter platform engineer LindowsCommented:
I have flagged a mod requesting the deletion of this thread as it may mislead other sysadmins.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.