Solved

Windows Active Directory Domain Admins group questions

Posted on 2014-10-29
12
501 Views
Last Modified: 2014-10-30
Hi People,

I got some questions regarding the DOMAIN admins group that is builtin in the Active Directory.

1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
0
Comment
  • 6
  • 6
12 Comments
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
Comment Utility
1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?
Yes, the Domain Admins group is automatically added to the server's local Administrators group when it is joined to the domain. Please see the Description under Administrators in this article for further info: http://technet.microsoft.com/en-us/library/cc785098%28WS.10%29.aspx

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
If you only want the user to restart the server and do nothing else you can modify the User Rights Assignment on the server either through gpedit.msc or Group Policy.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > double click Shut down the system > you can then either add the individual user or a security group in here.

If they are going to be logging into the server remotely then remember that you may need to also add them to the Remote Desktop Users group on the server once you take them out of the Domain Admins group.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Hi VB,

So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?

Because my understanding is that the Domain admins is always part of the Local Administrator group of the server which is always granted access to the server using RDP.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Thanks VB ITS for the clarification.

So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
Comment Utility
So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?
This should already be in place as Domain Admins (being part of the Administrators group) will already have RDP access to all domain-joined machines. All users will not be able to RDP to any of your servers by default unless they are manually added to the Remote Desktop Users group on each server.
So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
Yes, that's correct. Remove your Service Desk/Help Desk team members from the Domain Admins group, create a new Security Group, then add them to this new Security Group. You can then create a GPO to grant this Security Group shutdown rights using the policy mentioned in my previous post.

Just remember that with the GPO you will need to apply it to an Organizational Unit which contains the computer objects for all of your member servers in ADUC, as the policy is a Computer level policy.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Cool,

That does make sense. So if somehow the AD OU structure got multiple office site location under the root domain.com so should I create the GPO at the root level same as the Default Domain Controller policy (default GPO) ?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
If you create the GPO at the root level then your team will have the ability to shutdown all the computers and servers in the organization. Whether this is something you want, it is up to you.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
ok, so how about placing a DENY or exception in the Data Center Server OU ?
is there any GPO trick that can be done to prevent that from happening ?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
Comment Utility
You can right click on the Data Center Servers OU in the Group Policy Management Console > Block Inheritance.

This will however block all other GPOs from applying to the computers in the Data Center Servers OU. What you will then need to do is re-link the GPOs that you want to run  on these computers by right clicking on the Data Center Servers OU > Link an Existing GPO... > select your GPO from the list > repeat until you have applied all the GPOs you want applying to your servers at the data center.

Another option would be to use the steps in this article to prevent the GPO from applying specific computers: http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

At Step 3 in this article when you click on Add to add the computer object, you will need to click on the Object Types button then tick the box for Computers so that you can add the computer objects for each server in your Data Center Servers OU.
Object-Types.PNG
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Thanks man for the quick reply and explanation, so in this case if I use the method that is set on the article link above http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ do I need to manually add new servers that is added to the DataCenter OU ?

or is there any manual intervention that is needed later on or just once off process ?
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
Comment Utility
Yes, if you use the method in that link you will need to manually add any new servers you add to the Data Center Servers OU to the ACL of the shutdown GPO, and then tick the box to deny the GPO from applying to the new server.

If you'd rather do it once then I suggest using the first method in my previous post, i.e. block inheritance on the OU then re-link all the policies except for the allow shut down policy. An idea would be to note down all the current policies applying to the Data Center Servers OU by clicking on the OU in GPMC > Linked Group Policy Objects tab.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
Comment Utility
Many thanks for the quick clarification !
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
You're welcome :)
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now