Re: Settle a Administrator's dispute
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 06 Aug 2006 10:12:51 -0400
Then what you are seeing with the administrators group is local to your installation, it isn't an MSFT default.
As for why administrators is often labeled as a localgroup it is because it is historically manipulated by the legacy LocalGroup subset of functions in the NET API. Probably because it had the same membership rules of local groups.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
savvy95 wrote:
Joe -- I do believe he's dorked with the permissions and I looked at the permissions with a resource kit tool, acldiag and concluded that anyone who's a member of the builtin/Administrators group has full control of some some security principals but not others. In some cases the group has read only. This leads me to my first statement..
Thank you all for your input and suggestions
BTW -- if you look at the properties of the builtin/Administrators group, you will see it is called a "Local Group". I don't know why MS does this.
thanks again.
"Joe Richards [MVP]" wrote:
It is moot, if a user is in Administrators or Domain Admins they can give themselves as much rights as they want in the forest.
But anyway, you can look at the ACLs in AD to see what rights the two groups have over AD.
By default, both administrators and Domain Admins have CREATE CHILD within the domain so they could both create objects. They also, by default have WRITE PROPERTY which means they can change any attributes they want.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
savvy95 wrote:We have a dispute where one Admin disagrees with another 2 regarding the Administrators Local Group ON THE DOMAIN CONTROLLER. We are not talking about the group on the workstation.
I'd like confirmation that I'm correct.
Our disagreeable admin says that if a Global Group is put into the Administrators Local Group on the DC but not in the Domain Admins Global Group, the users of the Global Group do not have the same permissions as the Administrator account -- particularly to add/modify/delete user/computer/group accounts in AD.
Can you help settle this dispute.
The original problem was to give domain user accounts local administrator rights.
All help is appreciated.
- References:
- Re: Settle a Administrator's dispute
- From: Joe Richards [MVP]
- Re: Settle a Administrator's dispute
- From: savvy95
- Re: Settle a Administrator's dispute
- Prev by Date: Re: Need help defining a custom query in AD
- Next by Date: Re: PDC EMU ?
- Previous by thread: Re: Settle a Administrator's dispute
- Next by thread: Re: Settle a Administrator's dispute
- Index(es):
Relevant Pages
|
