Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Active Directory Domain Admins group questions

Posted on 2014-10-29
12
Medium Priority
?
593 Views
Last Modified: 2014-10-30
Hi People,

I got some questions regarding the DOMAIN admins group that is builtin in the Active Directory.

1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
0
Comment
  • 6
  • 6
12 Comments
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40412460
1. Does the DOMAIN Admin group are automatically put as member of the each servers local Administrators group once the server is joined to the AD domain ?
Yes, the Domain Admins group is automatically added to the server's local Administrators group when it is joined to the domain. Please see the Description under Administrators in this article for further info: http://technet.microsoft.com/en-us/library/cc785098%28WS.10%29.aspx

2. I'd like to remove some members of the IT helpdesk support team from the Domain Admins group but I still want them to be able to login to certain server and perform the restart when necessary and nothing else. Does placing them under the local server Power Users allow them to reboot the server ?
If you only want the user to restart the server and do nothing else you can modify the User Rights Assignment on the server either through gpedit.msc or Group Policy.
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment > double click Shut down the system > you can then either add the individual user or a security group in here.

If they are going to be logging into the server remotely then remember that you may need to also add them to the Remote Desktop Users group on the server once you take them out of the Domain Admins group.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40412600
Hi VB,

So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?

Because my understanding is that the Domain admins is always part of the Local Administrator group of the server which is always granted access to the server using RDP.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40412633
Thanks VB ITS for the clarification.

So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40414479
So in this case how can I DENY all user connect using RDP to all servers apart from the DOMAIN admins to the domain joined servers ?
This should already be in place as Domain Admins (being part of the Administrators group) will already have RDP access to all domain-joined machines. All users will not be able to RDP to any of your servers by default unless they are manually added to the Remote Desktop Users group on each server.
So for the Service Desk/ Help Desk team who should not be getting the Local admin right, they should be placed into the "IT Helpdesk"  AD security group and then usingthe GPO that you mentioned, add it into the rule ?
Yes, that's correct. Remove your Service Desk/Help Desk team members from the Domain Admins group, create a new Security Group, then add them to this new Security Group. You can then create a GPO to grant this Security Group shutdown rights using the policy mentioned in my previous post.

Just remember that with the GPO you will need to apply it to an Organizational Unit which contains the computer objects for all of your member servers in ADUC, as the policy is a Computer level policy.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40414483
Cool,

That does make sense. So if somehow the AD OU structure got multiple office site location under the root domain.com so should I create the GPO at the root level same as the Default Domain Controller policy (default GPO) ?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40414492
If you create the GPO at the root level then your team will have the ability to shutdown all the computers and servers in the organization. Whether this is something you want, it is up to you.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40414556
ok, so how about placing a DENY or exception in the Data Center Server OU ?
is there any GPO trick that can be done to prevent that from happening ?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40414627
You can right click on the Data Center Servers OU in the Group Policy Management ConsoleBlock Inheritance.

This will however block all other GPOs from applying to the computers in the Data Center Servers OU. What you will then need to do is re-link the GPOs that you want to run  on these computers by right clicking on the Data Center Servers OU > Link an Existing GPO... > select your GPO from the list > repeat until you have applied all the GPOs you want applying to your servers at the data center.

Another option would be to use the steps in this article to prevent the GPO from applying specific computers: http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

At Step 3 in this article when you click on Add to add the computer object, you will need to click on the Object Types button then tick the box for Computers so that you can add the computer objects for each server in your Data Center Servers OU.
Object-Types.PNG
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40414636
Thanks man for the quick reply and explanation, so in this case if I use the method that is set on the article link above http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ do I need to manually add new servers that is added to the DataCenter OU ?

or is there any manual intervention that is needed later on or just once off process ?
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40414683
Yes, if you use the method in that link you will need to manually add any new servers you add to the Data Center Servers OU to the ACL of the shutdown GPO, and then tick the box to deny the GPO from applying to the new server.

If you'd rather do it once then I suggest using the first method in my previous post, i.e. block inheritance on the OU then re-link all the policies except for the allow shut down policy. An idea would be to note down all the current policies applying to the Data Center Servers OU by clicking on the OU in GPMC > Linked Group Policy Objects tab.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40414690
Many thanks for the quick clarification !
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40414695
You're welcome :)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question