Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory Schema Admins group

Posted on 2014-12-15
6
3,377 Views
Last Modified: 2014-12-20
If I understand any member of the Schema Admins Group, can change the schema of AD.

Well, if a user is member of Schema Admins Group only, can they add another user to Domain Admins Group or it is the other way around only.?

Thanks
0
Comment
Question by:jskfan
  • 3
  • 3
6 Comments
 
LVL 11

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40501487
Members of the Schema Admins group can not add another user to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add other members to the Domain Admins group.
Only members of the Domain Admins, Enterprise Admins or Administrators group can add members to the Schema Admins group.

It's indeed correct that only members of the Schema Admins group have the possiblity to change the schema of AD.
0
 

Author Comment

by:jskfan
ID: 40501620
It sounds like the only role of Schema Admins group is to change the Schema ?
if a user is member of Schema Admins Group can they add domain users to customized groups (Security Groups) that do not contain Enterprise Admins or Domain Admins ?


For instancemy domain user account is member of only one group which is Schema Admin group, can I create a security Group ( for instance Accounting) and add  regular domain users to Accounting security group ?
0
 
LVL 11

Assisted Solution

by:zalazar
zalazar earned 500 total points
ID: 40502161
As far as I know this group is only used for modifying the AD Schema.
When users become member of this group no other extra permissions are granted.
So if a user could not add users to other groups before, by adding the user to the Schema Admins this will not change.

I'm not sure if I understand your second question correctly.
If a user is member of only the Schema Admins group then it's possible to create a new security group (e.g. Accounting) and add regular domain users to it and even the user which is already in the Schema Admins group.

In most cases when a setup or installation will change the AD Schema the setup/install also requires that the user is a member of the Domain Admins or Enterprise Admins group so in practice only members of the Domain Admins and Enterprise Admins group will need Schema Admins permissions.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:jskfan
ID: 40506192
I believe Schema Admin has to be Domain Admin or has to be granted some specific rights to login to the Domain Controller. I have added a domain user account to Schema admin group, then logged out and tried to login to the DC with Schema Admin account and did not let me login to DC.

so if you add Schema Admin  to Domain Admins group , he will be able to add other  users.  
Though it does not make sense, since Schema Admin cannot logon to DC unless if it is member of Domain Admins.
Why Microsoft  does not just get rid of Schema Admin and let the Domain Admin to change the Schema ?
0
 
LVL 11

Accepted Solution

by:
zalazar earned 500 total points
ID: 40510643
By default only Administrators of the domain do have permissions to logon through Remote Desktop and some other limited groups to log on the console. You can change these permissions to also allow other users which do not have these permissions to logon via Remote Desktop or via the console on a domain controller.

But actually, you do not have to be logged on to the domain controller to be able to change the AD schema.
The AD schema can also be modified from a domain computer (e.g. workstation/laptop) when the logged in user has Schema Admins permissions. Modifications can be done by e.g. installing the Microsoft Remote Server Administration Tools.

Some organizations do leave the Schema Admins group empty to prevent any unplanned schema updates and only add members when there is a planned change.
0
 

Author Closing Comment

by:jskfan
ID: 40510670
Thank you!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question