locked
To be Admin, or Domain Admin, that is my quandry RRS feed

  • Question

  • So, I've been trying to sort through my list of domain users, and seperate them into different categories. That worked fine. However, I wanted the users to be able to install software on their machines, so I added them to the "Administrators" group. Well, turns out they still can't install anything. They can only install software and do admin type things if they are added to the DOMAIN ADMINS group. What gives? I don't understand that. I thought that the administrators group alllowed for admin type functions on each local machine for that user, and domain admins were given access to domain functions. Am I confused or is there something else awry?
    Thursday, September 22, 2011 1:27 PM

Answers

  • Administrators is a built-in group.  This will give you access on Domain Controllers, not in entire domain.

    Domain Admins – Gives you full admin privilege in entire domain.  “By default”, domain admin group is part of Local Admin group on all servers and workstations.  That is the reason you are getting the admin privilege on the servers and workstations.

    If your goal is to provide admin access on workstations and servers, it is better to create a new security group and deploy them using Restricted Group GPO.  Paul has provided this info.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    • Proposed as answer by Jorge Mederos Thursday, September 22, 2011 5:39 PM
    • Marked as answer by Elytis Cheng Tuesday, September 27, 2011 9:07 AM
    Thursday, September 22, 2011 2:37 PM
  • I think Santhosh clearly understand based on what I have read in your original posting.  There is a built-in domain local group in AD called "Administrators" as well as a global group called "Domain Admins".  Members of the Administrators group are actually administrators of the Domain Controllers.  This group does not have admin access on the domain members, such as workstations and servers.  The Domain Admins do.  This is because the Domain Admins group is a member of the local Administrators group on every machine in the domain.

    The reason why Domain ADmins also have administrative access over the domain controllers as well is because the Domain Admins group is a member of the "Administrators" group. 

    To have complete control over the domain, you would want to be in the Domain Admins group.

    Of course, this group should limited to only those that truly manage the domain.

    To have admin rights on a workstation, I would not add anyone to the domain admins group.  I would address it by having those users as members of the local admins group on their systems, if no other option is available that allows them to do what is expected of them on their systems.

     


    Visit anITKB.com, an IT Knowledge Base.

    anITKB facebook youtube
    • Marked as answer by Elytis Cheng Tuesday, September 27, 2011 9:08 AM
    Thursday, September 22, 2011 5:50 PM

All replies

  • So, I've been trying to sort through my list of domain users, and seperate them into different categories. That worked fine. However, I wanted the users to be able to install software on their machines, so I added them to the "Administrators" group. Well, turns out they still can't install anything. They can only install software and do admin type things if they are added to the DOMAIN ADMINS group. What gives? I don't understand that. I thought that the administrators group alllowed for admin type functions on each local machine for that user, and domain admins were given access to domain functions. Am I confused or is there something else awry?
    • Merged by Elytis Cheng Thursday, September 22, 2011 3:05 PM
    Thursday, September 22, 2011 1:29 PM
  • Hi,

    Yes you are correct.

    Local admin is admin on a local computer. Domain admin is admin on all the computers in a domain. Therefore, the local admin has rights on a LOCAL machine, and the domain admin has rights on all machines in the DOMAIN.

    A Local Administrator is a user that has been made a member of the Administrators group on a local computer. This user basically has complete access to do anything they want on the Vista computer.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Thursday, September 22, 2011 1:36 PM
  • Duplicate post:

    http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/6a3c2ab9-8153-400d-8523-69a47d3e26a3


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by Awinish Thursday, September 22, 2011 2:15 PM
    Thursday, September 22, 2011 1:36 PM
  • You only need to add a user to the local admins group, if there are dependencies to software somewhere outside of the local machine then they might need elevated priveleges.  You need to remove the membership to domain admins otherwise they have unrestricted access to everything and could remove your rights to your domain.  In some companies granting others domain admin rights could be cuase for dismissal, so be careful who you grant permissions too.  If you need to grant certain individuals rights to machines, you should consider using restricted groups within group policy.

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 22, 2011 1:39 PM
  • Please don't duplicate post.  See my answer in your other duplicate post.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 22, 2011 1:40 PM
  • Local admin and domain admin both are completely different with their functionality and effect. Make sure software restriction group policy is not applied on them via GPO. Also, for testing login to the system local and try to run the application using local admin account and this way it should work and is it problem with single machine or all the machine?

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, September 22, 2011 2:19 PM
  • Sorry my browser is being screwy.

    Thursday, September 22, 2011 2:22 PM
  • Administrators is a built-in group.  This will give you access on Domain Controllers, not in entire domain.

    Domain Admins – Gives you full admin privilege in entire domain.  “By default”, domain admin group is part of Local Admin group on all servers and workstations.  That is the reason you are getting the admin privilege on the servers and workstations.

    If your goal is to provide admin access on workstations and servers, it is better to create a new security group and deploy them using Restricted Group GPO.  Paul has provided this info.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    • Proposed as answer by Jorge Mederos Thursday, September 22, 2011 5:39 PM
    • Marked as answer by Elytis Cheng Tuesday, September 27, 2011 9:07 AM
    Thursday, September 22, 2011 2:37 PM
  • Replied to your previous post.  You are talking about built-in Administrators group and Domain Admins.  You get more info from TechNet. 

    http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Thursday, September 22, 2011 2:40 PM
  • I think Santhosh clearly understand based on what I have read in your original posting.  There is a built-in domain local group in AD called "Administrators" as well as a global group called "Domain Admins".  Members of the Administrators group are actually administrators of the Domain Controllers.  This group does not have admin access on the domain members, such as workstations and servers.  The Domain Admins do.  This is because the Domain Admins group is a member of the local Administrators group on every machine in the domain.

    The reason why Domain ADmins also have administrative access over the domain controllers as well is because the Domain Admins group is a member of the "Administrators" group. 

    To have complete control over the domain, you would want to be in the Domain Admins group.

    Of course, this group should limited to only those that truly manage the domain.

    To have admin rights on a workstation, I would not add anyone to the domain admins group.  I would address it by having those users as members of the local admins group on their systems, if no other option is available that allows them to do what is expected of them on their systems.

     


    Visit anITKB.com, an IT Knowledge Base.

    anITKB facebook youtube
    • Marked as answer by Elytis Cheng Tuesday, September 27, 2011 9:08 AM
    Thursday, September 22, 2011 5:50 PM