none
Every user can change group membership

    Question

  • Hi, 

    I have a Windows 2012 Active Directory, and every user can change  the users o groups on the local administrator group, how can i limit this only for the domain admins?

    thanks

    Tuesday, January 24, 2017 8:29 PM

All replies

  • By default, only "Domain Admins" and the local Administrator is in the local Administrators group. It sounds like you have the group "Domain Users" in the local Administrators group. Can you check? The Restricted Groups feature of Group Policy can be used to manage membership in the local Administrators Groups of all domain joined computers.

    Edit: Links to references on Restricted Groups:

    https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx?mfr=true

    https://technet.microsoft.com/en-us/library/cc756802%28v=ws.10%29.aspx

    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, January 24, 2017 8:36 PM
  • First i think you should query amm the owners of the DG

    Get-DistributionGroup -ResultSize unlimited | select name, managedby >txt.txt

    Once you get the list of groups and its owners then you can filter it out and remove the unwanted owners


    Abrar Kaberi

    Tuesday, January 24, 2017 8:44 PM
  • I have check and only the domain admins and the local administrator are on the local administrator group.

    I get this message when run the command: 

    'Get-DistributionGroups' is not recognized as an internal or external command,

    operable program or batch file.

    Thanks

    Wednesday, January 25, 2017 2:27 PM
  • The result when you ran "net localgroup administrators" is normal. So if users can modify the membership of the local Administrators group, they must be members of "Domain Admins", perhaps due to group nesting (they are members of a group which itself is a member of Domain Admins).

    Edit: You can check membership in the Domain Admins group in Active Directory Users and Computers on a DC. Or if you have PowerShell and the AD modules, you can run the following at a PowerShell prompt:

    Get-ADGroupMember "Domain Admins" | Select Name, objectClass

    If any members are groups, you can either query for members of the nested group, or you can use the -Recursive parameter as follows to get all effective members:

    Get-ADGroupMember "Domain Admins" -Recursive | Select Name


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, January 25, 2017 3:08 PM
  • This are the members of the domain admin groups, 

    and is member of:

    I have one user named cafes, who is member only of the domain users group

    Whit this users i can add users or groups to the local administratos group.

    Wednesday, January 25, 2017 6:07 PM
  • Hi,
    Have you checked if the domain users group is listed in Enterprise Admins group? Members in this group can modify the membership of all administrative groups. Please see: https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx#BKMK_DeniedRODCPwdRepl
    In addition, I would suggest that you could take a look at the Group Policy Restricted Groups, when using a Restricted Groups Group Policy, any current member of the group that is not on the “Members” list will be removed. All users / domain groups that are in the “Members” list and are not members of the group will be added as members. Please see: https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 3:21 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 3, 2017 8:10 AM
    Moderator