Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory Schema Admins group

Posted on 2014-12-15
6
Medium Priority
?
5,199 Views
Last Modified: 2014-12-20
If I understand any member of the Schema Admins Group, can change the schema of AD.

Well, if a user is member of Schema Admins Group only, can they add another user to Domain Admins Group or it is the other way around only.?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:zalazar
zalazar earned 2000 total points
ID: 40501487
Members of the Schema Admins group can not add another user to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add other members to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add members to the Schema Admins group.

It's indeed correct that only members of the Schema Admins group have the possiblity to change the schema of AD.
0
 

Author Comment

by:jskfan
ID: 40501620
It sounds like the only role of Schema Admins group is to change the Schema ?
if a user is member of Schema Admins Group can they add domain users to customized groups (Security Groups) that do not contain Enterprise Admins or Domain Admins ?


For instancemy domain user account is member of only one group which is Schema Admin group, can I create a security Group ( for instance Accounting) and add  regular domain users to Accounting security group ?
0
 
LVL 12

Assisted Solution

by:zalazar
zalazar earned 2000 total points
ID: 40502161
As far as I know this group is only used for modifying the AD Schema.
When users become member of this group no other extra permissions are granted.
So if a user could not add users to other groups before, by adding the user to the Schema Admins this will not change.

I'm not sure if I understand your second question correctly.
If a user is member of only the Schema Admins group then it's possible to create a new security group (e.g. Accounting) and add regular domain users to it and even the user which is already in the Schema Admins group.

In most cases when a setup or installation will change the AD Schema the setup/install also requires that the user is a member of the Domain Admins or Enterprise Admins group so in practice only members of the Domain Admins and Enterprise Admins group will need Schema Admins permissions.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:jskfan
ID: 40506192
I believe Schema Admin has to be Domain Admin or has to be granted some specific rights to login to the Domain Controller. I have added a domain user account to Schema admin group, then logged out and tried to login to the DC with Schema Admin account and did not let me login to DC.

so if you add Schema Admin  to Domain Admins group , he will be able to add other  users.  
Though it does not make sense, since Schema Admin cannot logon to DC unless if it is member of Domain Admins.
Why Microsoft  does not just get rid of Schema Admin and let the Domain Admin to change the Schema ?
0
 
LVL 12

Accepted Solution

by:
zalazar earned 2000 total points
ID: 40510643
By default only Administrators of the domain do have permissions to logon through Remote Desktop and some other limited groups to log on the console. You can change these permissions to also allow other users which do not have these permissions to logon via Remote Desktop or via the console on a domain controller.

But actually, you do not have to be logged on to the domain controller to be able to change the AD schema.
The AD schema can also be modified from a domain computer (e.g. workstation/laptop) when the logged in user has Schema Admins permissions. Modifications can be done by e.g. installing the Microsoft Remote Server Administration Tools.

Some organizations do leave the Schema Admins group empty to prevent any unplanned schema updates and only add members when there is a planned change.
0
 

Author Closing Comment

by:jskfan
ID: 40510670
Thank you!
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question