Solved

Active Directory Schema Admins group

Posted on 2014-12-15
6
3,730 Views
Last Modified: 2014-12-20
If I understand any member of the Schema Admins Group, can change the schema of AD.

Well, if a user is member of Schema Admins Group only, can they add another user to Domain Admins Group or it is the other way around only.?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40501487
Members of the Schema Admins group can not add another user to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add other members to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add members to the Schema Admins group.

It's indeed correct that only members of the Schema Admins group have the possiblity to change the schema of AD.
0
 

Author Comment

by:jskfan
ID: 40501620
It sounds like the only role of Schema Admins group is to change the Schema ?
if a user is member of Schema Admins Group can they add domain users to customized groups (Security Groups) that do not contain Enterprise Admins or Domain Admins ?


For instancemy domain user account is member of only one group which is Schema Admin group, can I create a security Group ( for instance Accounting) and add  regular domain users to Accounting security group ?
0
 
LVL 12

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40502161
As far as I know this group is only used for modifying the AD Schema.
When users become member of this group no other extra permissions are granted.
So if a user could not add users to other groups before, by adding the user to the Schema Admins this will not change.

I'm not sure if I understand your second question correctly.
If a user is member of only the Schema Admins group then it's possible to create a new security group (e.g. Accounting) and add regular domain users to it and even the user which is already in the Schema Admins group.

In most cases when a setup or installation will change the AD Schema the setup/install also requires that the user is a member of the Domain Admins or Enterprise Admins group so in practice only members of the Domain Admins and Enterprise Admins group will need Schema Admins permissions.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jskfan
ID: 40506192
I believe Schema Admin has to be Domain Admin or has to be granted some specific rights to login to the Domain Controller. I have added a domain user account to Schema admin group, then logged out and tried to login to the DC with Schema Admin account and did not let me login to DC.

so if you add Schema Admin  to Domain Admins group , he will be able to add other  users.  
Though it does not make sense, since Schema Admin cannot logon to DC unless if it is member of Domain Admins.
Why Microsoft  does not just get rid of Schema Admin and let the Domain Admin to change the Schema ?
0
 
LVL 12

Accepted Solution

by:
zalazar earned 500 total points
ID: 40510643
By default only Administrators of the domain do have permissions to logon through Remote Desktop and some other limited groups to log on the console. You can change these permissions to also allow other users which do not have these permissions to logon via Remote Desktop or via the console on a domain controller.

But actually, you do not have to be logged on to the domain controller to be able to change the AD schema.
The AD schema can also be modified from a domain computer (e.g. workstation/laptop) when the logged in user has Schema Admins permissions. Modifications can be done by e.g. installing the Microsoft Remote Server Administration Tools.

Some organizations do leave the Schema Admins group empty to prevent any unplanned schema updates and only add members when there is a planned change.
0
 

Author Closing Comment

by:jskfan
ID: 40510670
Thank you!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question