Re: Grant Administrative Access to a Domain Controller

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

You can even keep it simpler than that, if your domain group is nested
inside of the domain admins group, all you would have to do is is
simply deny the domain group full control at the domain root level of
active directory, since deny permissions within AD take precedence,
members of that group will have no permissions within AD, but will
still retain admin rights on the server itself, I have tested this and
found this to be the case.


MPerrault wrote:
Joe Richards [MVP] wrote:
Then you aren't dealing with very informed people. Getting into AD that
you have no rights in but you do have access to isn't all that involved.
If you already have rights it is that much easier.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm




Of course you can lock yourself out of AD. I've seen it happen all the
time.

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority


If you remove domain admins group from perms in AD you remove there
Domain Admins privledges, same if you Deny them access. They can still
log onto the machine but will have no AD control.

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority

.

Relevant Pages

  • Re: NT4->2003 Computer Account Migration Problem
    ... win2k3 domain, domain admin is by default the computer's local admin. ... and remigrate the computers using a specific account to perform migration ... Add NT Domain Admin to Win2k3Dom Domain admins group and Win2k3Dom ...
    (microsoft.public.windows.server.migration)
  • Re: Rights and Permissions of Domain Admins group in AD
    ... Domain Admins does have special rights in W2K from what I remember, ... > In a native-mode Active Directory environment, ... > domain controllers and on member servers and workstations? ...
    (microsoft.public.win2000.security)
  • Re: Domain Admin Share
    ... Domain Admins have special rights to the domain by default. ... Administrators only have rights to the DC. ... I believe that only the NT Domain Admins have that right by default. ... Domain Admins group to the NT Domain Admins group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain user with local administrators right
    ... domain account to the domain admins group, this is in turn a member of the ... with this domain account (selecting the domain from the drop down box under ... If the server is a domain controller, then there is no local administrators ... group so membership of domain admins should suffice. ...
    (microsoft.public.windows.server.active_directory)
  • Exchange 2007 forest prep
    ... The services refuse to start unless the Exchange Server security group ... is part of the Domain Admins group. ...
    (microsoft.public.exchange.admin)