Re: How to change domain administrator to limited/restricted user?

Sue wrote:
On Jun 5, 12:42 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
Sue wrote:
How do I in Windows 2003 Active Directory, change a domain
administrator to limited or restricted user? The user belongs to a
group, I don't want to change all the users within the group, only
one user. Thanks a lot!

Do you mean "*a* domain administrator" or *the* domain administrator?

If it's "a" domain administrator, then remove the user from the
domain administrator, schema admin, enterprise admin, etc groups. If
a whole group is a member of these groups, then you have other
problems and issues.

--
/kj

Yup, that seems to be the problem, the user is "a" domain
administrator, and in fact all users are domain administrators. I
inherited this domain, and now I am trying to make some of these users
into limited account so that they will not be able to install programs
themselves. Any suggestions would be really helpful. Thank you very
much!

Members of the "Domain Admins" group have much more ability than a simple
installtion of programs. At the very worst end users should only be Local
Workstation Administrators. SBS(03) does this by default but it's not an
ideal scenerio.

If your users are members of the "Domain Admins" group then you have a big
mess on your hands.

Are the individual users direct members of the Domain Admins group or
members of a group added to the Domain Admins group. If the latter, what
group has been added to the domain admins group.

This sounds like an Enterprise MCSE setup where the workstations were not
added by /connectcomputer and the problems 'fixed' by adding them as domain
admin. Check a workstation or two and see if the user is a member of the
local workstation administrators group.



--
/kj


.

Relevant Pages

  • Re: Domain Admin .vs Adminstrator Account
    ... THE Administrator account is the initial or default ... > However, the domain admins group is automatically added to the local> administrators group on all domain members, which means that> the domain admins account has full administrative control over all domain> member machines. ... The administrator account on the other hand, isn't as> powerful in this way (just being an administrator of the domain doesn't mean> you can install software on domain members); the administrator account is> much more powerful, as Cary already stated, from a domain administrative> stand point. ...
    (microsoft.public.win2000.active_directory)
  • Re: Roaming Profile problem
    ... Unless you're playing with Restricted groups policy or any other scripts, generally Domain Admins are members of local Administrators in all machines in the domain check that. ... I did log on as the domain administrator not the local admin. ... You're logged on with the account that refer to the profile to be copied. ... Logged on as test student ...
    (microsoft.public.windows.server.active_directory)
  • Re: Possible answer to domain problems
    ... that the DCPROMO process may change the policy so that only domain admins ... local administrator when running DCPROMO, so that if the Domain Admins group ... > install Office XP on it, so I started from scratch again. ...
    (microsoft.public.win2000.security)
  • Re: full sharing between domain admins
    ... mentions a determined domain administrator ultimately has ways to gain ... themselves back in local administrators group for instance. ... > to the adminsitrative share of other domain admins, ... > by adding the other domain admin accounts to the "deny ...
    (microsoft.public.win2000.security)
  • Re: XP security
    ... > administrator can access his computer and therefore access ... remove Domain Admins from Administrators and have ... > workgroup connection and cannot see the the rest of the ... Get a different ISP that does not dictate what must be ...
    (microsoft.public.windowsxp.security_admin)