Re: How to change domain administrator to limited/restricted user?

Sue:

As KJ has pointed out, this could get pretty messy. Depending on the number of users, computers, member servers and the rest of the infrastructure, I might be tempted to start over.

For a test, maybe you cold track down the OU for one user/computer combination, compare it to a known good/stable SBS network correct if necessary, remove the least impacted user from the Domain Admin group, set that uses group membership to the appropriate one for their role (remote user, etc.) and see what further correction you have to make to give them access to their documents and local profile, email, and so on.

If you can fix one, and document the steps as you go along, the rest should get easier. There are few things about messed up permissions, security, and the like that can't be fixed, but it could be both time consuming and frustrating as they are so interconnected.

If one user is so difficult to fix that it seems one would never get done, perhaps you could save all of the users data, export the mailboxes to .pst, copy out his profile, remove the computer and the user from the domain, and try rejoining using the wizards and /connectcomputer.

If it turns out the wizards don't work, (in fact you may want to try that first... create a dummy account) you may have to advise the business owner that his SBS will never function properly, what the consequences are of everyone working as a DA, and give him a budget for starting over.

oh, and download and run the sbs bpa... www.sbsbpa.com

--
Larry



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message news:OmA86P1xIHA.4376@xxxxxxxxxxxxxxxxxxxxxxx
Sue wrote:
On Jun 5, 12:42 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
Sue wrote:
How do I in Windows 2003 Active Directory, change a domain
administrator to limited or restricted user? The user belongs to a
group, I don't want to change all the users within the group, only
one user. Thanks a lot!

Do you mean "*a* domain administrator" or *the* domain administrator?

If it's "a" domain administrator, then remove the user from the
domain administrator, schema admin, enterprise admin, etc groups. If
a whole group is a member of these groups, then you have other
problems and issues.

--
/kj

Yup, that seems to be the problem, the user is "a" domain
administrator, and in fact all users are domain administrators. I
inherited this domain, and now I am trying to make some of these users
into limited account so that they will not be able to install programs
themselves. Any suggestions would be really helpful. Thank you very
much!

Members of the "Domain Admins" group have much more ability than a simple installtion of programs. At the very worst end users should only be Local Workstation Administrators. SBS(03) does this by default but it's not an ideal scenerio.

If your users are members of the "Domain Admins" group then you have a big mess on your hands.

Are the individual users direct members of the Domain Admins group or members of a group added to the Domain Admins group. If the latter, what group has been added to the domain admins group.

This sounds like an Enterprise MCSE setup where the workstations were not added by /connectcomputer and the problems 'fixed' by adding them as domain admin. Check a workstation or two and see if the user is a member of the local workstation administrators group.



--
/kj


.

Relevant Pages

  • Re: ADMT v3 - cant migrate SID history
    ... use an account in the target that is a member of domain admins in the ... >> entered must have Administrator privileges on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Admins Security Group Message In Backup
    ... Are you logging in as *the* built-in Administrator account? ... How does your Member Of: ... > says that I do not have access and must be in the Domain Admins Security ... I am logged in as the Server Administrator and it has only just ...
    (microsoft.public.windows.server.sbs)
  • Re: no Domain Admin rights to a Domain Server
    ... If the computer is still a member of the domain with proper DNS name ... the domain it needs to be joined to the domain again and the domain admins ... I can logon locally to the machine but the rights are that of a ... the server belongs to engineering and the person in charge ...
    (microsoft.public.win2000.security)
  • Re: Cant login locally to the server
    ... Administrator seems to be member of both Domain Admins and Administrators ... Check your SBS with the SBS Best Practices Analyzer ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy on a remote computer
    ... By default, members of Domain Admins are administrators on member computers, but not Enterprise Admins. ... The domain controller is Windows Server 2003 R2 SP2; the target computer is XP Professional SP2. ... The usual process is to create a Group Policy Object in the Domains Active Directory and link it to the OU with the target computer accounts or user accounts. ...
    (microsoft.public.windows.group_policy)