We help IT Professionals succeed at work.

Found domain users group in ADUC Administrators group

king daddy
king daddy asked
on
Should I just remove them? What are the repercussions? I found this while cleaning up AD.

Thanks
Comment
Watch Question

Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
Which Administrators Group? The one in The Built in Container or Another? The Built in Administrators group is ADs equivalent of a local administrator on a computer. Gives you way too much control over a DC and AD but does not affect workstations or member computers. If someone added Domain Users into that group, that would give me the willies. The short answer to this is YES, remove them. There is no reason that group should be in ANY domain wide Administrators group. There are some networks where You use Group Policy to add the Domain Users group into the local admins group on Workstations but to me, even that is not a great idea.
  What this sounds like to me is someone tried to do this with Group Policy restricted groups and failed. Perhaps doing it at the Default domain Policy or Default Domain Controllers Policy, thinking it would not affect DCs and AD. I would check that also. I know this will happen if you do it that way. The only things that should be in the Administrators group is the Administrator (the built in Administrator Account in AD) and Domain Admins.

Author

Commented:
Thanks for the reply, Jeff. The builtin/administrators group has domain admins and domain users. it also has a local admin group from one of our OUs. I bet you are right in regard to group policy. A sys admin was trying to add domain users to the local admin group on their workstations through GP. I will check that.

I am going to remove domain users.

Thanks again.

Author

Commented:
So I removed domain users and now we have users telling us they are not able to delete files on their computers nor install programs.
Sr. Systems Administrator
CERTIFIED EXPERT
Commented:
Well, that is a side effect of fixing your previous admins mistake. In a normal, security conscious network, normal users can never install programs or delete files from the C: drive of their local computer. They should always use either their personal profile folders or a network share but it sounds like that was not the case in your network. If you have AD setup for easy management (Do not use the default containers but have OUs setup), then you can make a GPO assigning the Domain users group to the local administrators group on the PCs only and apply it to the GPOs that have computers in them. I would use Group Policy Preferences instead of the Restricted Groups but both will work as long as you understand how to do it.

Author

Commented:
Perfect, thanks again Jeff. It's been a while since I have configured GPOs but have been cleaning up AD here and have created OUs that I can use for GPs as you suggested.
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
It can be a challenge cleaning up after someone else.

Author

Commented:
Indeed!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.