Solved

Windows Active Directory Domain Admins group questions

Posted on 2014-10-29
12
510 Views
Last Modified: 2014-10-30
Hi People,

I got some questions regarding the DOMAIN admins group that is builtin in the Active Directory.

1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
0
Comment
  • 6
  • 6
12 Comments
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40412460
1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?
Yes, the Domain Admins group is automatically added to the server's local Administrators group when it is joined to the domain. Please see the Description under Administrators in this article for further info: http://technet.microsoft.com/en-us/library/cc785098%28WS.10%29.aspx

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
If you only want the user to restart the server and do nothing else you can modify the User Rights Assignment on the server either through gpedit.msc or Group Policy.
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment > double click Shut down the system > you can then either add the individual user or a security group in here.

If they are going to be logging into the server remotely then remember that you may need to also add them to the Remote Desktop Users group on the server once you take them out of the Domain Admins group.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40412600
Hi VB,

So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?

Because my understanding is that the Domain admins is always part of the Local Administrator group of the server which is always granted access to the server using RDP.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40412633
Thanks VB ITS for the clarification.

So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40414479
So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?
This should already be in place as Domain Admins (being part of the Administrators group) will already have RDP access to all domain-joined machines. All users will not be able to RDP to any of your servers by default unless they are manually added to the Remote Desktop Users group on each server.
So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
Yes, that's correct. Remove your Service Desk/Help Desk team members from the Domain Admins group, create a new Security Group, then add them to this new Security Group. You can then create a GPO to grant this Security Group shutdown rights using the policy mentioned in my previous post.

Just remember that with the GPO you will need to apply it to an Organizational Unit which contains the computer objects for all of your member servers in ADUC, as the policy is a Computer level policy.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40414483
Cool,

That does make sense. So if somehow the AD OU structure got multiple office site location under the root domain.com so should I create the GPO at the root level same as the Default Domain Controller policy (default GPO) ?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40414492
If you create the GPO at the root level then your team will have the ability to shutdown all the computers and servers in the organization. Whether this is something you want, it is up to you.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40414556
ok, so how about placing a DENY or exception in the Data Center Server OU ?
is there any GPO trick that can be done to prevent that from happening ?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40414627
You can right click on the Data Center Servers OU in the Group Policy Management ConsoleBlock Inheritance.

This will however block all other GPOs from applying to the computers in the Data Center Servers OU. What you will then need to do is re-link the GPOs that you want to run  on these computers by right clicking on the Data Center Servers OU > Link an Existing GPO... > select your GPO from the list > repeat until you have applied all the GPOs you want applying to your servers at the data center.

Another option would be to use the steps in this article to prevent the GPO from applying specific computers: http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

At Step 3 in this article when you click on Add to add the computer object, you will need to click on the Object Types button then tick the box for Computers so that you can add the computer objects for each server in your Data Center Servers OU.
Object-Types.PNG
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40414636
Thanks man for the quick reply and explanation, so in this case if I use the method that is set on the article link above http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ do I need to manually add new servers that is added to the DataCenter OU ?

or is there any manual intervention that is needed later on or just once off process ?
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40414683
Yes, if you use the method in that link you will need to manually add any new servers you add to the Data Center Servers OU to the ACL of the shutdown GPO, and then tick the box to deny the GPO from applying to the new server.

If you'd rather do it once then I suggest using the first method in my previous post, i.e. block inheritance on the OU then re-link all the policies except for the allow shut down policy. An idea would be to note down all the current policies applying to the Data Center Servers OU by clicking on the OU in GPMC > Linked Group Policy Objects tab.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40414690
Many thanks for the quick clarification !
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40414695
You're welcome :)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now