Link to home
Create AccountLog in
Avatar of king daddy
king daddyFlag for United States of America

asked on

Found domain users group in ADUC Administrators group

Should I just remove them? What are the repercussions? I found this while cleaning up AD.

Thanks
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Which Administrators Group? The one in The Built in Container or Another? The Built in Administrators group is ADs equivalent of a local administrator on a computer. Gives you way too much control over a DC and AD but does not affect workstations or member computers. If someone added Domain Users into that group, that would give me the willies. The short answer to this is YES, remove them. There is no reason that group should be in ANY domain wide Administrators group. There are some networks where You use Group Policy to add the Domain Users group into the local admins group on Workstations but to me, even that is not a great idea.
  What this sounds like to me is someone tried to do this with Group Policy restricted groups and failed. Perhaps doing it at the Default domain Policy or Default Domain Controllers Policy, thinking it would not affect DCs and AD. I would check that also. I know this will happen if you do it that way. The only things that should be in the Administrators group is the Administrator (the built in Administrator Account in AD) and Domain Admins.
Avatar of king daddy

ASKER

Thanks for the reply, Jeff. The builtin/administrators group has domain admins and domain users. it also has a local admin group from one of our OUs. I bet you are right in regard to group policy. A sys admin was trying to add domain users to the local admin group on their workstations through GP. I will check that.

I am going to remove domain users.

Thanks again.
So I removed domain users and now we have users telling us they are not able to delete files on their computers nor install programs.
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Perfect, thanks again Jeff. It's been a while since I have configured GPOs but have been cleaning up AD here and have created OUs that I can use for GPs as you suggested.
It can be a challenge cleaning up after someone else.
Indeed!