Windows Active Directory Domain Admins group questions

Hi People,

I got some questions regarding the DOMAIN admins group that is builtin in the Active Directory.

1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?
Yes, the Domain Admins group is automatically added to the server's local Administrators group when it is joined to the domain. Please see the Description under Administrators in this article for further info: http://technet.microsoft.com/en-us/library/cc785098%28WS.10%29.aspx

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
If you only want the user to restart the server and do nothing else you can modify the User Rights Assignment on the server either through gpedit.msc or Group Policy.
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment > double click Shut down the system > you can then either add the individual user or a security group in here.

If they are going to be logging into the server remotely then remember that you may need to also add them to the Remote Desktop Users group on the server once you take them out of the Domain Admins group.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi VB,

So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?

Because my understanding is that the Domain admins is always part of the Local Administrator group of the server which is always granted access to the server using RDP.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks VB ITS for the clarification.

So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

VB ITSSpecialist ConsultantCommented:
So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?
This should already be in place as Domain Admins (being part of the Administrators group) will already have RDP access to all domain-joined machines. All users will not be able to RDP to any of your servers by default unless they are manually added to the Remote Desktop Users group on each server.
So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
Yes, that's correct. Remove your Service Desk/Help Desk team members from the Domain Admins group, create a new Security Group, then add them to this new Security Group. You can then create a GPO to grant this Security Group shutdown rights using the policy mentioned in my previous post.

Just remember that with the GPO you will need to apply it to an Organizational Unit which contains the computer objects for all of your member servers in ADUC, as the policy is a Computer level policy.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool,

That does make sense. So if somehow the AD OU structure got multiple office site location under the root domain.com so should I create the GPO at the root level same as the Default Domain Controller policy (default GPO) ?
0
VB ITSSpecialist ConsultantCommented:
If you create the GPO at the root level then your team will have the ability to shutdown all the computers and servers in the organization. Whether this is something you want, it is up to you.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so how about placing a DENY or exception in the Data Center Server OU ?
is there any GPO trick that can be done to prevent that from happening ?
0
VB ITSSpecialist ConsultantCommented:
You can right click on the Data Center Servers OU in the Group Policy Management ConsoleBlock Inheritance.

This will however block all other GPOs from applying to the computers in the Data Center Servers OU. What you will then need to do is re-link the GPOs that you want to run  on these computers by right clicking on the Data Center Servers OU > Link an Existing GPO... > select your GPO from the list > repeat until you have applied all the GPOs you want applying to your servers at the data center.

Another option would be to use the steps in this article to prevent the GPO from applying specific computers: http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

At Step 3 in this article when you click on Add to add the computer object, you will need to click on the Object Types button then tick the box for Computers so that you can add the computer objects for each server in your Data Center Servers OU.
Object-Types.PNG
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks man for the quick reply and explanation, so in this case if I use the method that is set on the article link above http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ do I need to manually add new servers that is added to the DataCenter OU ?

or is there any manual intervention that is needed later on or just once off process ?
0
VB ITSSpecialist ConsultantCommented:
Yes, if you use the method in that link you will need to manually add any new servers you add to the Data Center Servers OU to the ACL of the shutdown GPO, and then tick the box to deny the GPO from applying to the new server.

If you'd rather do it once then I suggest using the first method in my previous post, i.e. block inheritance on the OU then re-link all the policies except for the allow shut down policy. An idea would be to note down all the current policies applying to the Data Center Servers OU by clicking on the OU in GPMC > Linked Group Policy Objects tab.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Many thanks for the quick clarification !
0
VB ITSSpecialist ConsultantCommented:
You're welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.