Re: Add Domain Admin to local XP Admin group

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Security principals with EA rights are highly privileged accounts. Anyone who has the creds of an EA has the "keys to the kingdom"
How well do you secure these Wks which you want to add the EA/DAfromOtherDomain group to? Do you cache credentials? Are the users also admins of the Wks?
I can think of many ways to cause you pain and I'm not "the bad guy".
There are many ways, I'm sure, to achieve what you want without exposing privileged accounts from other domains or EAs.

If a user in someOtherDomain is required to be an admin on workstations in thisDomain, I'd create a "Domain Local" Group in thisDomain and add the user/s from someOtherDomain to the group and assign the Domain Local Group to the resource in question. I'd also make sure this account is not an EA account.

Most orgs define some way of managing local admin creds on Wks: from having the same username and passwords on all workstations (not the appropriate way) to having some automated process to retrieve and change the admin passwords.. These are the creds used when the Wks needs some troubleshooting and can't get on the network. For when the machine is on the network, your delegated admins creds will suffice. You do not need to add DAs or EAs.
This might assist: http://technet2.microsoft.com/windowsserver/en/library/1b3070ce-c6b1-4849-ae47-ce17bbec17ee1033.mspx?mfr=true


Regards,

Austin


"Scott Micale" <hrm_admin@xxxxxxxxxxxxxx> wrote in message news:ObXl1gNEIHA.3712@xxxxxxxxxxxxxxxxxxxxxxx
Can you explain why?


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:eCSzRwDEIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
Also, Scott, and probably more importantly, make sure you understand the security ramifications of what you are trying to do.
It is not that way by default for very good reasons.

Regards,

Austin


"Scott Micale" <hrm_admin@xxxxxxxxxxxxxx> wrote in message news:uf5HuRDEIHA.4296@xxxxxxxxxxxxxxxxxxxxxxx
Or Scott,
Are you saying you want Easy and/or Parent Domain DAs to be local admits on the workstations? yes this is what I am saying.


"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:OWgTNJDEIHA.5324@xxxxxxxxxxxxxxxxxxxxxxx
make sure that you understand how RGP work before implementing.


--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:948Ri.8400$mj.7799@xxxxxxxxxxxxxxxxxxxxxxxx
Or Scott,
Are you saying you want EAs and/or Parent Domain DAs to be local admins on the workstations?
If thats what you want to do (I would not use an EA account to logon to a workstation. Ever.) then a "Restricted Group" policy is the way to go.

Regards,

Austin

"Scott Micale" <hrm_admin@xxxxxxxxxxxxxx> wrote in message news:Oo8ElzBEIHA.2268@xxxxxxxxxxxxxxxxxxxxxxx
Yes Domain Admins are in the Local Administrator group. I need to add either Domain Admins from a parent domain or the enterprises admin to the child domain Local Admin group.


"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:u1Odd$%23DIHA.1188@xxxxxxxxxxxxxxxxxxxxxxx
My point was, if you mess with RGP you can easily wipe out the DA from local Administrators in a given workstation or in all Workstations.

The poster doesn't give much information, but something had to be done to wipe out the DA from local Administrators group, by default it's there, but after you mess with that you can remove them from Local Admins.


--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:up1AKX9DIHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
;-)
We'll call it a draw then Jorge..
Unlikely GP is involved because if it was, the question would already be answered.. GP (or by script) is how you centrally effect a change on several boxes.
But the question is about DA in the local administrators grp and this is not controlled by the RG policy, though that can affect it if it has been modified by someone other than the caller. :-)

Regards,

Austin

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:OTLvqa4DIHA.5328@xxxxxxxxxxxxxxxxxxxxxxx
probably not because someone already messed with RGP, that's why I mentioned, or maybe I'm wrong...

;)

--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:eeSQi.2228$hg.342@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Scott,
When you join a machine to the domain, the Domain Admins group are made members of the local Administrators group of the machine by default. Are you not seeing this when you join a machine to the domain?

Regards,

Austin
"Scott Micale" <hrm_admin@xxxxxxxxxxxxxx> wrote in message news:un%23lvm3DIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
Is there a way to add a domain admin to the xp local admin group through a group policy so I don't have to do it on ever PC I have?

Thanks






















.

Relevant Pages

  • RE: ADMT Computer Migration
    ... NT\domain admins group to NT\administrators group; ... now you use an account who is a member of ... | Thread-Topic: ADMT Computer Migration ... | account to all the workstations administrators group. ...
    (microsoft.public.windows.server.migration)
  • Re: Weird security problem in my WIn2K domain
    ... > group Administrators on computer XXX: ... > Of course my account is a member of Enterprise Admins and also Domain ... > After failing to do this simple task from my own workstations, ...
    (microsoft.public.windows.server.security)
  • Re: Problem managing accounts in protected groups
    ... For you administrator accounts create an own OU directly under the domain name and place there the domain admin accounts without any restrictions through policies or whatever. ... And create for them a normal domain user account for the daily work with normal restrictions like any other user. ... If now the account under the Administrators OU is locked another one from that OU can easily unlock them without any problem, because they all are domain admins in that OU. ... heard about that someone will give more security permissions to users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Login as local admin
    ... schema admins, enterprise admins and the other groups mentioned, but the ... installing SBS SP1. ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
    ... Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. ... domain users that have local administrator privileges on domain assets ...
    (Full-Disclosure)