none
When Joining a Domain, How to Remove Pre-Domain Accounts and Change Permissions?

    Question

  • Is there an application to remove the Computer\Administrators group and the Computer\Administrator account and their permissions across the registry and file system and replace them with the Enterprise|Domain\Administrators group after joining a system to a domain?
    Friday, June 08, 2018 10:18 AM

Answers

  • Am 08.06.2018 um 12:18 schrieb AlaskanRogue:
    > Is there an application to remove the Computer\Administrators group and
    > the Computer\Administrator account and their permissions across the
    > registry and file system and replace them with the
    > Enterprise|Domain\Administrators group after joining a system to a domain?
     
    Why? That makes completly no sense. In the end /someone/ needs to
    administrate the system. That can be done as a domain USER account
    joined into the group of the local Administrators group.
     
    In your scenarios, you would create Administrator group, that has only
    User permissions. So, why not using the existent User group directly?
     
    Do NOT make normal users member of administrators and you are done.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • Marked as answer by AlaskanRogue Tuesday, June 12, 2018 10:00 AM
    Tuesday, June 12, 2018 6:22 AM
  • Am 12.06.2018 um 14:00 schrieb AlaskanRogue:
    > Mark, that makes sense!!!
     
    For security reasons: Never administrate a unsecure client with a domain
    admin account. If the client is hacked, you gain the credentials of the
    most powerfull account.
     
    Always create a "Client Admin", that is only a user inside AD, but
    integrates into the LOCAL Admingroug on the client.
     
    If this account is hacked, it will only brake your clients, but not
    directly your AD ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • Marked as answer by AlaskanRogue Wednesday, June 13, 2018 2:29 PM
    Tuesday, June 12, 2018 8:17 PM

All replies

  • Am 08.06.2018 um 12:18 schrieb AlaskanRogue:
    > Is there an application to remove the Computer\Administrators group and
    > the Computer\Administrator account and their permissions across the
    > registry and file system and replace them with the
    > Enterprise|Domain\Administrators group after joining a system to a domain?
     
    Why? That makes completly no sense. In the end /someone/ needs to
    administrate the system. That can be done as a domain USER account
    joined into the group of the local Administrators group.
     
    In your scenarios, you would create Administrator group, that has only
    User permissions. So, why not using the existent User group directly?
     
    Do NOT make normal users member of administrators and you are done.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • Marked as answer by AlaskanRogue Tuesday, June 12, 2018 10:00 AM
    Tuesday, June 12, 2018 6:22 AM
  • Mark, that makes sense!!!
    Tuesday, June 12, 2018 12:00 PM
  • Am 12.06.2018 um 14:00 schrieb AlaskanRogue:
    > Mark, that makes sense!!!
     
    For security reasons: Never administrate a unsecure client with a domain
    admin account. If the client is hacked, you gain the credentials of the
    most powerfull account.
     
    Always create a "Client Admin", that is only a user inside AD, but
    integrates into the LOCAL Admingroug on the client.
     
    If this account is hacked, it will only brake your clients, but not
    directly your AD ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • Marked as answer by AlaskanRogue Wednesday, June 13, 2018 2:29 PM
    Tuesday, June 12, 2018 8:17 PM
  • Do you know of any MS documentation that provides these insights that can be shared?
    Wednesday, June 13, 2018 2:29 PM