Re: Remove domain admins from local admins group on specific serve



Are we talking about DCs or member servers?

DDS
"RA" <RA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:495A6C78-0658-433F-A331-E130902A4FD9@xxxxxxxxxxxxxxxx
> Thanks for your reply, Here is the scenario,
>
> I have delegated full control of an OU under the main domain to a group.
> This group has full control over all servers in that OU only but are not
> domain admins. This group is also part of the local admins group on all
> the
> servers within that OU only. If one of these users removed the domain
> admins
> group from the local administrators group on one of these servers, will a
> domain admin still be able to logon to these servers? Also if they can I
> assume they will be able to add themselves back into the local admins
> group
> on the said servers as well.
>
> Thanks
>
>
> "Danny Sanders" wrote:
>
>> Actually you don't restrict the domain admin you restrict who you add to
>> the
>> group.
>>
>> One of the main criteria for being a domain admin is trust. If you can't
>> trust them they don't need to be a domain admin.
>>
>> If you could remove them, they as domain admins can undo what ever you
>> can
>> do as a domain admin.
>>
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "RA" <RA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6F24C573-528B-4C55-BA04-68763B0A7788@xxxxxxxxxxxxxxxx
>> > Hi
>> >
>> > I have a few servers in an OU in which I want to assign full control
>> > only
>> > to
>> > a specific group other than domain admins. If I remove the domain
>> > admins
>> > group from the local admins group on these servers :
>> >
>> > 1. will that prevent all domain admins from logging on to these
>> > machines.
>> >
>> > 2. can they (the domain admins) then seize control of these servers and
>> > add
>> > themselves back into the local admins groups (on these machines).
>> >
>> > Thanks.
>> >
>>
>>
>>


.



Relevant Pages

  • Re: Admin accounts for Run As purposes only
    ... the addition of new high-privilege accounts to run when a domain admin logs ... don't have enough servers to achieve a separation. ... At the end of the day, you have to trust your administrators, but it's easy ... > I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin accounts for Run As purposes only
    ... Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited / ... > don't have enough servers to achieve a separation. ... >> I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: NT4 to Windows 2003 AD Migration Question
    ... You want something that can map the accounts from the source to the ... > I have around 1500 workstations, a couple hundred servers. ... > seems most tools want domain admin on the AD side as well. ... We are tasked with building the OU from scratch, so SID history ...
    (microsoft.public.windows.server.active_directory)
  • Re: RIS install hangs at "Setup is starting Windows"
    ... In our environment we have different domain admin and local admin ... passwords on all servers and we haven't seen this issue. ... > different form the Domain Administrator password. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Local Admin on Domain Controller?
    ... You need to make sure that you are separating the permissions. ... Delegating control implies administrative control (i.e. make ... with Exchange 2000, it no longer implies full access to all mailboxes. ... If you want the domain admin to have full access to all mailboxes, ...
    (microsoft.public.exchange.admin)