Solved

Active Directory Schema Admins group

Posted on 2014-12-15
6
3,126 Views
Last Modified: 2014-12-20
If I understand any member of the Schema Admins Group, can change the schema of AD.

Well, if a user is member of Schema Admins Group only, can they add another user to Domain Admins Group or it is the other way around only.?

Thanks
0
Comment
Question by:jskfan
  • 3
  • 3
6 Comments
 
LVL 11

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40501487
Members of the Schema Admins group can not add another user to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add other members to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add members to the Schema Admins group.

It's indeed correct that only members of the Schema Admins group have the possiblity to change the schema of AD.
0
 

Author Comment

by:jskfan
ID: 40501620
It sounds like the only role of Schema Admins group is to change the Schema ?
if a user is member of Schema Admins Group can they add domain users to customized groups (Security Groups) that do not contain Enterprise Admins or Domain Admins ?


For instancemy domain user account is member of only one group which is Schema Admin group, can I create a security Group ( for instance Accounting) and add  regular domain users to Accounting security group ?
0
 
LVL 11

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40502161
As far as I know this group is only used for modifying the AD Schema.
When users become member of this group no other extra permissions are granted.
So if a user could not add users to other groups before, by adding the user to the Schema Admins this will not change.

I'm not sure if I understand your second question correctly.
If a user is member of only the Schema Admins group then it's possible to create a new security group (e.g. Accounting) and add regular domain users to it and even the user which is already in the Schema Admins group.

In most cases when a setup or installation will change the AD Schema the setup/install also requires that the user is a member of the Domain Admins or Enterprise Admins group so in practice only members of the Domain Admins and Enterprise Admins group will need Schema Admins permissions.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jskfan
ID: 40506192
I believe Schema Admin has to be Domain Admin or has to be granted some specific rights to login to the Domain Controller. I have added a domain user account to Schema admin group, then logged out and tried to login to the DC with Schema Admin account and did not let me login to DC.

so if you add Schema Admin  to Domain Admins group , he will be able to add other  users.  
Though it does not make sense, since Schema Admin cannot logon to DC unless if it is member of Domain Admins.
Why Microsoft  does not just get rid of Schema Admin and let the Domain Admin to change the Schema ?
0
 
LVL 11

Accepted Solution

by:
zalazar earned 500 total points
ID: 40510643
By default only Administrators of the domain do have permissions to logon through Remote Desktop and some other limited groups to log on the console. You can change these permissions to also allow other users which do not have these permissions to logon via Remote Desktop or via the console on a domain controller.

But actually, you do not have to be logged on to the domain controller to be able to change the AD schema.
The AD schema can also be modified from a domain computer (e.g. workstation/laptop) when the logged in user has Schema Admins permissions. Modifications can be done by e.g. installing the Microsoft Remote Server Administration Tools.

Some organizations do leave the Schema Admins group empty to prevent any unplanned schema updates and only add members when there is a planned change.
0
 

Author Closing Comment

by:jskfan
ID: 40510670
Thank you!
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question