Click here to get back home

Does domain controller's administrator gain too much permissions
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Does domain controller's administrator gain too much permissions AJang 04-04-2006
Posted by AJang on April 4, 2006, 5:11 am
Please log in for more thread options
 Situation:
DomainControllerA was a domain controller of domain TEST.
WorkStationB joined the domain TEST.

Then , Administrator of DomainControllerA became a member of Administrators
of WorkStationB, it possesed the whole control of WorkStationB.
It seems to me that Administrator of DomainControllerA gained too much power.
How to fix it and retain the power of Active Directory?
Or what article I should read first?
Thanks
Ajang


Posted by Laura E. Hunter [MVP] on April 4, 2006, 9:15 am
Please log in for more thread options
 By default, the Domain Admins group is made a member of the local
Administrators group on any workstation or member server that is joined to
the domain. If you wish to change this default behaviour, you can use the
Restricted Groups option available in Group Policy. See the following link
for more information:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx?mfr=true

HTH


--
--
Laura E. Hunter: MVP Windows Server - Networking
All replies to newsgroup, please
Post provided as-is, no warranties expressed or implied


> Situation:
> DomainControllerA was a domain controller of domain TEST.
> WorkStationB joined the domain TEST.
>
> Then , Administrator of DomainControllerA became a member of
> Administrators
> of WorkStationB, it possesed the whole control of WorkStationB.
> It seems to me that Administrator of DomainControllerA gained too much
> power.
> How to fix it and retain the power of Active Directory?
> Or what article I should read first?
> Thanks
> Ajang
>



Posted by Roger Abell [MVP] on April 4, 2006, 9:29 am
Please log in for more thread options
There is no requirement that the adjustments of machine local groups
that happen as part of domain join must be retained. You are free to
remove Domain Admins from the machine local Administrators, and
Domain Users from Users, etc.
However, seeing the need for this is perhaps a symptom that you
do not have the correct people as Domain Admins. Doing this does
no limit Active Directory itself. It does limit some products that could
make use of Active Directory and certainly this does destroy the ability
of Domain Admins to configure and safeguard the whole domain.

> Situation:
> DomainControllerA was a domain controller of domain TEST.
> WorkStationB joined the domain TEST.
>
> Then , Administrator of DomainControllerA became a member of
> Administrators
> of WorkStationB, it possesed the whole control of WorkStationB.
> It seems to me that Administrator of DomainControllerA gained too much
> power.
> How to fix it and retain the power of Active Directory?
> Or what article I should read first?
> Thanks
> Ajang
>



Posted by Steven L Umbach on April 4, 2006, 2:42 pm
Please log in for more thread options
That is default behavior. Any domain level administrator has complete power
over the domain and maybe the forest. You can remove the domain admins group
from the local administrators group on any domain computer but a domain
administrator can always add it back. I agree with Roger in that you must be
able to trust your domain level administrators.
[administrator/administrators/domain admins/enterprise admins/schema
admins]. --- Steve


> Situation:
> DomainControllerA was a domain controller of domain TEST.
> WorkStationB joined the domain TEST.
>
> Then , Administrator of DomainControllerA became a member of
> Administrators
> of WorkStationB, it possesed the whole control of WorkStationB.
> It seems to me that Administrator of DomainControllerA gained too much
> power.
> How to fix it and retain the power of Active Directory?
> Or what article I should read first?
> Thanks
> Ajang
>



Similar ThreadsPosted
Administrator Group Share Permissions July 27, 2006, 11:25 am
set service start permissions to Administrator only August 17, 2007, 6:13 pm
Problem with Domain Admin becoming Administrator (builtin) April 11, 2006, 10:07 am
Local and Domain Administrator password best practice May 31, 2006, 7:05 pm
Domain Security Policy -> Access is denied for Administrator July 17, 2006, 7:04 am
Built-in Administrator acct. for Domain be password never expires? October 2, 2006, 3:01 pm
permissions across domain without trust? August 7, 2006, 4:04 pm
Share permissions - cross-domain May 1, 2006, 11:47 am
Permissions for joining XP computers to domain July 25, 2006, 9:35 am
How to configure Domain access permissions for a user that would vary based on the computer they log into? June 21, 2006, 11:58 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap