none
When Joining a Domain, How to Remove Pre-Domain Accounts and Change Permissions?

    שאלה

  • Is there an application to remove the Computer\Administrators group and the Computer\Administrator account and their permissions across the registry and file system and replace them with the Enterprise|Domain\Administrators group after joining a system to a domain?
    יום שישי 08 יוני 2018 10:18

תשובות

  • Am 08.06.2018 um 12:18 schrieb AlaskanRogue:
    > Is there an application to remove the Computer\Administrators group and
    > the Computer\Administrator account and their permissions across the
    > registry and file system and replace them with the
    > Enterprise|Domain\Administrators group after joining a system to a domain?
     
    Why? That makes completly no sense. In the end /someone/ needs to
    administrate the system. That can be done as a domain USER account
    joined into the group of the local Administrators group.
     
    In your scenarios, you would create Administrator group, that has only
    User permissions. So, why not using the existent User group directly?
     
    Do NOT make normal users member of administrators and you are done.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • סומן כתשובה על-ידי AlaskanRogue יום שלישי 12 יוני 2018 10:00
    יום שלישי 12 יוני 2018 06:22
  • Am 12.06.2018 um 14:00 schrieb AlaskanRogue:
    > Mark, that makes sense!!!
     
    For security reasons: Never administrate a unsecure client with a domain
    admin account. If the client is hacked, you gain the credentials of the
    most powerfull account.
     
    Always create a "Client Admin", that is only a user inside AD, but
    integrates into the LOCAL Admingroug on the client.
     
    If this account is hacked, it will only brake your clients, but not
    directly your AD ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • סומן כתשובה על-ידי AlaskanRogue יום רביעי 13 יוני 2018 14:29
    יום שלישי 12 יוני 2018 20:17

כל התגובות

  • Am 08.06.2018 um 12:18 schrieb AlaskanRogue:
    > Is there an application to remove the Computer\Administrators group and
    > the Computer\Administrator account and their permissions across the
    > registry and file system and replace them with the
    > Enterprise|Domain\Administrators group after joining a system to a domain?
     
    Why? That makes completly no sense. In the end /someone/ needs to
    administrate the system. That can be done as a domain USER account
    joined into the group of the local Administrators group.
     
    In your scenarios, you would create Administrator group, that has only
    User permissions. So, why not using the existent User group directly?
     
    Do NOT make normal users member of administrators and you are done.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • סומן כתשובה על-ידי AlaskanRogue יום שלישי 12 יוני 2018 10:00
    יום שלישי 12 יוני 2018 06:22
  • Mark, that makes sense!!!
    יום שלישי 12 יוני 2018 12:00
  • Am 12.06.2018 um 14:00 schrieb AlaskanRogue:
    > Mark, that makes sense!!!
     
    For security reasons: Never administrate a unsecure client with a domain
    admin account. If the client is hacked, you gain the credentials of the
    most powerfull account.
     
    Always create a "Client Admin", that is only a user inside AD, but
    integrates into the LOCAL Admingroug on the client.
     
    If this account is hacked, it will only brake your clients, but not
    directly your AD ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    • סומן כתשובה על-ידי AlaskanRogue יום רביעי 13 יוני 2018 14:29
    יום שלישי 12 יוני 2018 20:17
  • Do you know of any MS documentation that provides these insights that can be shared?
    יום רביעי 13 יוני 2018 14:29