Re: Remove domain admins from local admins group on specific serve

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Are we talking about DCs or member servers?

DDS
"RA" <RA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:495A6C78-0658-433F-A331-E130902A4FD9@xxxxxxxxxxxxxxxx
> Thanks for your reply, Here is the scenario,
>
> I have delegated full control of an OU under the main domain to a group.
> This group has full control over all servers in that OU only but are not
> domain admins. This group is also part of the local admins group on all
> the
> servers within that OU only. If one of these users removed the domain
> admins
> group from the local administrators group on one of these servers, will a
> domain admin still be able to logon to these servers? Also if they can I
> assume they will be able to add themselves back into the local admins
> group
> on the said servers as well.
>
> Thanks
>
>
> "Danny Sanders" wrote:
>
>> Actually you don't restrict the domain admin you restrict who you add to
>> the
>> group.
>>
>> One of the main criteria for being a domain admin is trust. If you can't
>> trust them they don't need to be a domain admin.
>>
>> If you could remove them, they as domain admins can undo what ever you
>> can
>> do as a domain admin.
>>
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "RA" <RA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6F24C573-528B-4C55-BA04-68763B0A7788@xxxxxxxxxxxxxxxx
>> > Hi
>> >
>> > I have a few servers in an OU in which I want to assign full control
>> > only
>> > to
>> > a specific group other than domain admins. If I remove the domain
>> > admins
>> > group from the local admins group on these servers :
>> >
>> > 1. will that prevent all domain admins from logging on to these
>> > machines.
>> >
>> > 2. can they (the domain admins) then seize control of these servers and
>> > add
>> > themselves back into the local admins groups (on these machines).
>> >
>> > Thanks.
>> >
>>
>>
>>


.

Relevant Pages

  • Re: Admin accounts for Run As purposes only
    ... the addition of new high-privilege accounts to run when a domain admin logs ... don't have enough servers to achieve a separation. ... At the end of the day, you have to trust your administrators, but it's easy ... > I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin accounts for Run As purposes only
    ... Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited / ... > don't have enough servers to achieve a separation. ... >> I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: SAM 12294 errors since password change
    ... I checked those articles and our servers are replicating okay. ... already in the event logs. ... The error is The SAM database was unable to lockout the account ... I've checked all services using domain admin and all are running, ...
    (microsoft.public.windows.server.general)
  • Re: NT4 to Windows 2003 AD Migration Question
    ... You want something that can map the accounts from the source to the ... > I have around 1500 workstations, a couple hundred servers. ... > seems most tools want domain admin on the AD side as well. ... We are tasked with building the OU from scratch, so SID history ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Admin on Domain Controller?
    ... You need to make sure that you are separating the permissions. ... Delegating control implies administrative control (i.e. make ... with Exchange 2000, it no longer implies full access to all mailboxes. ... If you want the domain admin to have full access to all mailboxes, ...
    (microsoft.public.exchange.admin)