Re: Rights and Permissions of Domain Admins group in AD

From: Nico (Nico@ic24.net)
Date: 07/03/02 

From: "Nico" <Nico@ic24.net>
Date: Wed, 3 Jul 2002 18:22:45 +0100

Domain Admins does have special rights in W2K from what I remember,
particularly in the DACLS of the active directory. Its not the same as NT4
where the "potency" was obtained by being a member of the Administrators
group.

The solution that you mention is a good workaround. Applications take the
easy way out, by requesting Domain Admin level access (e.g. BackupExec) , as
all workstations/servers will have domain admins in the local SAM of each
workstation/server.

"Andy" <andrew_ihatespamtaylor_mcse@yahooihatespam.com> wrote in message
news:uGC4tWrICHA.2620@tkmsftngp13...
> Hello,
>
> I have a question regarding the Domain Admins global group in Active
> Directory. Here it is:
>
> In a native-mode Active Directory environment, does the Domain Admins
group
> have any special permissions or rights of its own, or does it get all of
its
> rights and permissions from residing in the Administrators group on the
> domain controllers and on member servers and workstations?
>
> Here is my reason for the question: My company is evaluating WinInstall
7.5
> as an option for software distribution to desktop PCs. Apparently the
> documentation for this product recommends using a service account that
> resides in the Domain Admins group when distributing software to
> workstations. The use of that particular built-in group may not be
> desirable in our environment for several reasons. I'm trying to find out
if
> a workaround may be possible -- creating a service account and global
group
> with the appropriate rights and permissions, and adding the global group
to
> the Administrators local group on different workstations. (The client PCs
> would all be either Windows 2000 Pro or Windows XP Pro)
>
> Thanks,
>
> Andy
>
> --
> [Remove "I hate spam" messages from my return address to send e-mail.
> Otherwise feel free to respond to the newsgroup instead.]
>
>
>
>

Relevant Pages

  • Re: Rights and Permissions of Domain Admins group in AD
    ... > Domain Admins does have special rights in W2K from what I remember, ... > all workstations/servers will have domain admins in the local SAM of each ... >> rights and permissions from residing in the Administrators group on the ... >> domain controllers and on member servers and workstations? ...
    (microsoft.public.win2000.security)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... That's how ACLs work, or at ... Microsoft's own guidelines for parsing ACLs states that DENY ACLs ... I understand that domain admins have the delete and delete subtree ... I have a folder where Domain Users have Full control rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Prevent changes to Administrator password
    ... To add to what I already said: *ANY* member of a Domain Admins group *MUST* be trusted in what he does with his account. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Log on Locally
    ... even if I do not have the rights to log on locally, ... > Logon to the machine as a standard user and use the runas command. ... > snapin to reset the policy. ... I didn't check very well and I add Domain admins to ...
    (microsoft.public.win2000.security)
  • Re: Delegate certain rights to a single Domain Controller
    ... Please note that this hack does not eliminate all possible security risks, ... > This posting is provided "as is" with no warranties and confers no rights ... >> If you think your domain admins can only modify stuff in their own ... >>> cannot modify DCs across domains. ...
    (microsoft.public.windows.server.active_directory)