Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is Domain Admins a builtin security group?

Status
Not open for further replies.
newifu

newifu

MIS
Apr 6, 2004
40
CA
Domain Controllers are windows 2000 and 2003
We have a "Domain Admins" group which i think is inherited from the windows NT domain. There is another builtin group "Administrators" in AD which i think is the real administrators.Am I right?
We are tighting security setting in Active Directory since so many people are members of "domain admins",
we want to demote Domain Admins as account operators and just let some people in domain\builtin\Administrators as real domain admin. I check the security of "Administrators", "Enterprise Admins" groups and their member users, nobody has full control over these objects. I am a member of "administrators", but I cannot grant access over these objects without full control. Is this normal or we did something wrong? How can I grant full control access over them? by ntdsutil?

Thanks
 
Sort by date Sort by votes
domain admins is a global group that is a member of the built-in administrators group. This is so you can follow the practice of AGDLP..accounts go into global groups, which go into domain local groups, which are assigned permissions.
 
Upvote 0 Downvote
Speaking of groups, I have a question...
Here is vb code i have created so far.

On Error Resume Next
wi = "domain\nypak-workstation installers"
Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")
Call wshshell.run("cmd.exe /C net localgroup administrators " & wi & " /add")
'call wshshell.run("cmd.exe /C net localgroup administrators domain\domain admins /add")
call wshshell.run("cmd.exe /C net localgroup administrators domain\a1migrator /add")

Problem is, the script only works for the domain\a1migrator line. the other two lines fail no matter what i do. it sems to be the spaces causing the issue though. How should i be structuring this script?


Thanks,
 
Upvote 0 Downvote
oh sorry, we want to populate the local administrators groups on each pc in the Active Directory domain.

Thanks,
 
Upvote 0 Downvote
You might want to start a new thread, instead of hijacking wzwhi's thread :)
 
Upvote 0 Downvote
Thanks for your reply, mlichstein, My question is , for those domain local groups themselves, there must be someone has full control over them. I check the properties of "Administrators" domain local group, nobody has full control except "system", Is this normal or I did something by mistake. without full control how can I delegate permission over these groups? such as preventing a group from joining themself to "administrators" group?

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
356
ADB100
ADB100
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
780
DrB0b
DrB0b
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
808
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top