removing domain admins group from local admins group on selected s

Discussion in 'Active Directory' started by RA, Oct 21, 2005.

  1. RA

    RA Guest

    Hi

    I have a few servers in an OU in which I want to assign full control only to
    a specific group other than domain admins. If I remove the domain admins
    group from the local admins group on these servers :

    1. will that prevent all domain admins from logging on to these machines.

    2. can they (the domain admins) then seize control of these servers and add
    themselves back into the local admins groups (on these machines).

    Thanks.
     
    RA, Oct 21, 2005
    #1
    1. Advertisements

  2. 1. will that prevent all domain admins from logging on to these machines.

    If they're member servers no, as users have logon locally access. You might
    need to check the logon locally and logon via TS rights though.

    themselves back into the local admins groups (on these machines).

    Yep. A Domain Admin can quite easily add themselves back in there if they
    want to. But you can audit for this.

    Note. This will not, and cannot, work if we are talking about DCs.


    This raises a number of security questions on why don't you trust your
    domain admins, etc. If you have a domain admin they should be trusted
    explicitly. If they are not, they shouldn't be admins. I know this is
    often tough in the work place, but you have to fight this all the way and
    make it right. Otherwise it will come back and really bite you. And "I
    told you so" to the boss won't cut it! ;-)
     
    Paul Williams [MVP], Oct 22, 2005
    #2
    1. Advertisements

  3. RA

    RA Guest

    Hi thanks for your reply, its kinda what I suspected. And I see your point
    about not trusting the Dom admins.

    Problem is its not that I dont trust them, but the finance dept wants
    complete control of these machines.
     
    RA, Oct 22, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.