Re: Settle a Administrator's dispute

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Sat, 05 Aug 2006 15:10:18 -0400

It is moot, if a user is in Administrators or Domain Admins they can give themselves as much rights as they want in the forest.

But anyway, you can look at the ACLs in AD to see what rights the two groups have over AD.

By default, both administrators and Domain Admins have CREATE CHILD within the domain so they could both create objects. They also, by default have WRITE PROPERTY which means they can change any attributes they want.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

savvy95 wrote:

We have a dispute where one Admin disagrees with another 2 regarding the Administrators Local Group ON THE DOMAIN CONTROLLER. We are not talking about the group on the workstation.

I'd like confirmation that I'm correct.

Our disagreeable admin says that if a Global Group is put into the Administrators Local Group on the DC but not in the Domain Admins Global Group, the users of the Global Group do not have the same permissions as the Administrator account -- particularly to add/modify/delete user/computer/group accounts in AD.

Can you help settle this dispute.

The original problem was to give domain user accounts local administrator rights.

All help is appreciated.

Follow-Ups:
- Re: Settle a Administrator's dispute
  - From: Jorge Silva
- Re: Settle a Administrator's dispute
  - From: savvy95

Prev by Date: Re: PDC EMU ?
Next by Date: Re: more logon script questions
Previous by thread: Re: Settle a Administrator's dispute
Next by thread: Re: Settle a Administrator's dispute
Index(es):
- Date
- Thread

Relevant Pages

RE: software to control domain administrators
... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
(Security-Basics)
Re: Change permissions for domain administrators group
... changing permissions or configurations to prevent domain admins or administrators from doing things, is just a waste of time. ... I need to change the rights for the domain administrators group. ...
(microsoft.public.windows.server.active_directory)
Re: Settle a Administrators dispute
... I wasn't saying that administrators couldn't add themselves to other groups. ... I was saying the original question was a moot point because both admins and domain admins can give themselves as much rights in the forest as they want so even if someone took some rights away from the administrator account, you didn't actually stop anything because they can just give those rights back. ...
(microsoft.public.windows.server.active_directory)
Re: Domain administrator local admin on every machine
... Furthermore once i setup the domain admins i want to ... disable all local accounts, or at least prevent login to local ... net user Administrator SomeStrongPassword ... net localgroup Administrators "Domain Admins" BackupAdmin /add ...
(microsoft.public.windows.server.general)
Re: Settle a Administrators dispute
... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
(microsoft.public.windows.server.active_directory)