Re: Administrators Group in Local Users and Groups

Hi Joe,

I do not see a problem with adding junior admins to the Account Operators
group. That gives them good privileges to the domain without giving them
domain admin rights. I feel safe doing this. Why do you feel it is not
safe?

--
Spin

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uO5Ox5LDGHA.2988@xxxxxxxxxxxxxxxxxxxxxxx
> 1. You can't have a group automatically added upon join. You can get them
> added via a group policy though, look at restricted groups.
>
> 2. You can't add builtin groups from the domain to domain member's builtin
> groups. Builtin groups have a well known sid, in the case of acc ops it is
> S-1-5-32-548. That group will not work outside of domain controllers. If
> you applied it to an admin group, it would give a resolution error.
> However think of if it did work, that SID has no domain affinity (i.e. no
> domain component of the SID) so ANY account operator of ANY domain would
> then have admin rights to your workstations. That is why it doesn't work
> at all.
>
> Finally, don't use account ops. It is a bad group to use for a multitude
> of reasons. Consider it useful only during migration from NT4. Once you
> have all 2K or better DCs, stop using it.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Mark Morrell wrote:
>> Hi!
>> I am trying to find out how to add in the domain group Account Operators
>> to
>> each workstations administrator group (without going to each computer).
>>
>> Domain Admins is added into each computer when it joins the domain.
>> I want Account Operators to do the same.
>>
>> Running Server 2000 and 2003 native
>> With Workstations 2000 and XP
>> All updates as of yesterday.
>>
>> Thanks
>> Mark
>>

.

Relevant Pages

  • Re: Administrators Group in Local Users and Groups
    ... However think of if it did work, that SID has no domain affinity so ANY account operator of ANY domain would then have admin rights to your workstations. ... I am trying to find out how to add in the domain group Account Operators to each workstations administrator group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: create mailbox permissions
    ... don't see mailbox stores in the user creation dialog. ... > The Account Operators group don't have access to the Exchange Admin Groups ...
    (microsoft.public.exchange2000.admin)
  • Re: Active Directory, Exchange Schema Extensions and admin rights
    ... You need to delegate access to all of the Exchange attributes. ... I switched those users that needed to admin user accounts to be ... Account Operators, but thats thrown up another block - they can no ...
    (microsoft.public.windows.server.active_directory)
  • Active Directory, Exchange Schema Extensions and admin rights
    ... and one of the tasks at hand is to set admin rights ... I switched those users that needed to admin user accounts to be ... Account Operators, but thats thrown up another block - they can no ... Is there anyway to add these rights to the Account Operators group, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory, Exchange Schema Extensions and admin rights
    ... if youre talking about creating mailboxes etc., make them exchange view only admins, then use the delagation of control wizard in AD to give them rights to create users etc. ... and one of the tasks at hand is to set admin rights ... Account Operators, but thats thrown up another block - they can no ... longer admin the Exchange schema additions to AD. ...
    (microsoft.public.windows.server.active_directory)