Results 1 to 4 of 4

Thread: Active Directory question

  1. #1

    Active Directory question

    Hi,
    I have a little question about AD, I have opened a admin in the AD that is a memeber of the same groups as the administor built in account but when I use this admin account i dont have priviledge like the "administrator" account I mean I cant edit the network ips and dns why is that what should I do to make it have the same exact priviledges.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    You need to be a domain administrator. When the workstation is joined to the domain, the domain administrator group is added to the local administrators group.

    http://www.windowsecurity.com/articl...elegation.html

    I would recommend that you only allow very few people to be domain admins and above. Use delegation when possible. So, you can allow a new admin the ability to reset passwords but not allow them to create accounts or join new workstations to the domain.
    Last edited by phishphreek; April 27th, 2007 at 02:13 AM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Quote Originally Posted by phishphreek
    You need to be a domain administrator. When the workstation is joined to the domain, the domain administrator group is added to the local administrators group.

    http://www.windowsecurity.com/articl...elegation.html

    I would recommend that you only allow very few people to be domain admins and above. Use delegation when possible. So, you can allow a new admin the ability to reset passwords but not allow them to create accounts or join new workstations to the domain.
    actually the user is a domain admin but the problem is he cannot perform admin priviledges like a local admin on the workstation only the domain admin called "administrator" can do this to simplify it:
    I opened a user in my domain and called it "admin" then add this admin to the domain admins group after this I logged in into a client machine in the domain with this user called "admin" but I cant install softwares or change the network settings, so this user is not added automaticaly to the local administrators group and I have to add it manualy on each computer.
    Last edited by harvesterofdata; April 27th, 2007 at 05:03 PM.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    By default, the domain admin group added to the local administrator group when you you join the workstation to the domain. Is this happening in your environment? It doesn't sound like it... Either that, or the changes are not being replicated to the AD server that is authenticating the workstation.

    Or, maybe the local admin of that workstation has removed the domain admin group from the local admin group? It's tough to say without looking at your setup.

    Very strange... Can you tell me more about your AD setup? How many AD servers, sites, relation to workstation to site to AD servers, etc. Meaning, is the workstation in the same site as the AD server in which you add the user to the domain admin account? Is your replication working properly? etc.

    If the domain admin account is not being added, or is being removed by someone... you can use Group Policy and configure "restricted groups". This will also prevent a user (if they have local admin privledges) from removing the domain admin group from the local admin group. You can also give certain people or groups more privledges in the OU in which the GP is enabled.

    http://www.windowsecurity.com/articl...ed-Groups.html
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Active Directory Problem
    By novkhan in forum Operating Systems
    Replies: 11
    Last Post: July 1st, 2004, 05:55 PM
  3. Linux LPI 101 - Part II
    By Negative in forum Other Tutorials Forum
    Replies: 2
    Last Post: February 2nd, 2003, 03:14 PM
  4. Test Your Knowledge of Redhat?
    By smirc in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: May 13th, 2002, 03:24 AM
  5. Simple Unix/Linux commands tutorial
    By UberC0der in forum Other Tutorials Forum
    Replies: 2
    Last Post: December 27th, 2001, 02:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •