Re: Settle a Administrator's dispute

You have either dorked with your Directory's permissions or you didn't wait long enough for the changes to replicate around.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


savvy95 wrote:
I did test it by creating a user and putting him into the global group that's in the Administrators built in group and when I logged on with the user, I couldn't create/modify/delete users or modify distribution groups. I suspect the same for create/modify/delete computer and group accounts in AD as well.

I know who'll be buying the next round beer. I will.

Anyone want to join us ;)



"Robert Moir" wrote:

savvy95 wrote:
We have a dispute where one Admin disagrees with another 2 regarding
the Administrators Local Group ON THE DOMAIN CONTROLLER. We are not
talking about the group on the workstation.

I'd like confirmation that I'm correct.

Our disagreeable admin says that if a Global Group is put into the
Administrators Local Group on the DC but not in the Domain Admins
Global Group, the users of the Global Group do not have the same
permissions as the Administrator account -- particularly to
add/modify/delete user/computer/group accounts in AD.

Can you help settle this dispute.
Sure. That bit is easy.

Anyone who didn't say something like "Are you people crazy, there's no such thing as a 'local administrators' group on a domain controller, and even if there were, adding people to it has nothing to do with local admin rights on workstations" is wrong.

There is NO SUCH THING as a *purely* local group on a domain controller. Anyone who believes such a thing shouldn't be a domain admin. Sorry.

If you've been adding domain users to the built in 'Administrators' group then you've essentially made all those users administrators of your domain controllers (including, by default, active directory). Test one and see.

The original problem was to give domain user accounts local
administrator rights.
Oh. In that case why not try something like this:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx

Or with a restricted group in group policy. To create a Restricted Group do something like this:

- Edit Group Policy.
- Choose Computer Configuration, Windows Settings, Security Settings, Restricted Groups.
- Right-click on Restricted Groups and select Add Group.
- Click Browse.
- Type the name of the group and click OK.
- Click OK again on the Add Group dialog box.
- On the top section labeled Members of This Group click the Add button.
- Click Browse.
- Type in or browse for the desired users or groups that should be members of the new local Restricted Group. After adding members to the group.
- Click OK to finish and close the dialog box.

By the way, giving domain users administrative rights on their workstations is a very bad idea but then it sounds like they're already domain admins so I don't suppose it makes much difference now.


--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".



.