• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6795
  • Last Modified:

Active Directory Schema Admins group

If I understand any member of the Schema Admins Group, can change the schema of AD.

Well, if a user is member of Schema Admins Group only, can they add another user to Domain Admins Group or it is the other way around only.?

Thanks
0
jskfan
Asked:
jskfan
  • 3
  • 3
3 Solutions
 
zalazarCommented:
Members of the Schema Admins group can not add another user to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add other members to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add members to the Schema Admins group.

It's indeed correct that only members of the Schema Admins group have the possiblity to change the schema of AD.
0
 
jskfanAuthor Commented:
It sounds like the only role of Schema Admins group is to change the Schema ?
if a user is member of Schema Admins Group can they add domain users to customized groups (Security Groups) that do not contain Enterprise Admins or Domain Admins ?


For instancemy domain user account is member of only one group which is Schema Admin group, can I create a security Group ( for instance Accounting) and add  regular domain users to Accounting security group ?
0
 
zalazarCommented:
As far as I know this group is only used for modifying the AD Schema.
When users become member of this group no other extra permissions are granted.
So if a user could not add users to other groups before, by adding the user to the Schema Admins this will not change.

I'm not sure if I understand your second question correctly.
If a user is member of only the Schema Admins group then it's possible to create a new security group (e.g. Accounting) and add regular domain users to it and even the user which is already in the Schema Admins group.

In most cases when a setup or installation will change the AD Schema the setup/install also requires that the user is a member of the Domain Admins or Enterprise Admins group so in practice only members of the Domain Admins and Enterprise Admins group will need Schema Admins permissions.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jskfanAuthor Commented:
I believe Schema Admin has to be Domain Admin or has to be granted some specific rights to login to the Domain Controller. I have added a domain user account to Schema admin group, then logged out and tried to login to the DC with Schema Admin account and did not let me login to DC.

so if you add Schema Admin  to Domain Admins group , he will be able to add other  users.  
Though it does not make sense, since Schema Admin cannot logon to DC unless if it is member of Domain Admins.
Why Microsoft  does not just get rid of Schema Admin and let the Domain Admin to change the Schema ?
0
 
zalazarCommented:
By default only Administrators of the domain do have permissions to logon through Remote Desktop and some other limited groups to log on the console. You can change these permissions to also allow other users which do not have these permissions to logon via Remote Desktop or via the console on a domain controller.

But actually, you do not have to be logged on to the domain controller to be able to change the AD schema.
The AD schema can also be modified from a domain computer (e.g. workstation/laptop) when the logged in user has Schema Admins permissions. Modifications can be done by e.g. installing the Microsoft Remote Server Administration Tools.

Some organizations do leave the Schema Admins group empty to prevent any unplanned schema updates and only add members when there is a planned change.
0
 
jskfanAuthor Commented:
Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now