none
Is it safe to add users in Domain\Administrators built-in group ?

    Question

  • Hello,

    Just wondering whether is it safe to add users in Domain\Administrators built-in group ? 

    I need to allow few junior admins to log on to DC to perform backup and few other maintenance activities without giving them domain admin rights.

    Also, whats the significance of Domain\Administrators group ?

    Thanks


    Thanks !

    Thursday, June 14, 2012 1:33 PM

Answers

  • Hello,

    if you add them to that security group they have too much permissions:

    "Administrators-------This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group." http://technet.microsoft.com/en-us/library/cc700835.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:13 PM
  • Hello,

    No, it is not a standard practice to give membership of Administrators group as it is one of the most powerfull groups in the domain.

    Giving Administrators membership means you are giving free access to each and every object come under the domain roof.

    You may create a group named XYZ and give them membership of "Performance Monitor Users","Server Operators", "Performance Monitor Users","Network Configuration Operators", "Backup Operators"  and add those Jr Admins to this group

    You can also use delegation of rights use below article to see how to do so

    http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html for 2k3

    http://kpytko.wordpress.com/2012/05/16/active-directory-rights-delegation-overview/ for 2k8


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:15 PM
  • I would NOT suggest adding users to Domain\Administrators built-in group.

    Members of Domain\Administrators group will have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, its not advised to add junior admins.

    For Backup and other maintenance activities, you add junior admins in Server Operators Group. However, please be informed that, members of Server Operators group can  log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.


    Press any key... What the ... Where's any key ?

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    About Me ?

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:18 PM
    Moderator

All replies

  • Hello,

    if you add them to that security group they have too much permissions:

    "Administrators-------This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group." http://technet.microsoft.com/en-us/library/cc700835.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:13 PM
  • Hello,

    No, it is not a standard practice to give membership of Administrators group as it is one of the most powerfull groups in the domain.

    Giving Administrators membership means you are giving free access to each and every object come under the domain roof.

    You may create a group named XYZ and give them membership of "Performance Monitor Users","Server Operators", "Performance Monitor Users","Network Configuration Operators", "Backup Operators"  and add those Jr Admins to this group

    You can also use delegation of rights use below article to see how to do so

    http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html for 2k3

    http://kpytko.wordpress.com/2012/05/16/active-directory-rights-delegation-overview/ for 2k8


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:15 PM
  • I would NOT suggest adding users to Domain\Administrators built-in group.

    Members of Domain\Administrators group will have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, its not advised to add junior admins.

    For Backup and other maintenance activities, you add junior admins in Server Operators Group. However, please be informed that, members of Server Operators group can  log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.


    Press any key... What the ... Where's any key ?

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    About Me ?

    • Marked as answer by Jayawardhane Thursday, June 14, 2012 2:26 PM
    Thursday, June 14, 2012 2:18 PM
    Moderator
  • Thanks guys. Information is helpful.

    Thanks !

    Thursday, June 14, 2012 2:25 PM