-
April 26th, 2007, 09:39 PM
#1
Junior Member
Active Directory question
Hi,
I have a little question about AD, I have opened a admin in the AD that is a memeber of the same groups as the administor built in account but when I use this admin account i dont have priviledge like the "administrator" account I mean I cant edit the network ips and dns why is that what should I do to make it have the same exact priviledges.
-
April 27th, 2007, 02:08 AM
#2
You need to be a domain administrator. When the workstation is joined to the domain, the domain administrator group is added to the local administrators group.
http://www.windowsecurity.com/articl...elegation.html
I would recommend that you only allow very few people to be domain admins and above. Use delegation when possible. So, you can allow a new admin the ability to reset passwords but not allow them to create accounts or join new workstations to the domain.
Last edited by phishphreek; April 27th, 2007 at 02:13 AM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
April 27th, 2007, 04:54 PM
#3
Junior Member
Originally Posted by phishphreek
You need to be a domain administrator. When the workstation is joined to the domain, the domain administrator group is added to the local administrators group.
http://www.windowsecurity.com/articl...elegation.html
I would recommend that you only allow very few people to be domain admins and above. Use delegation when possible. So, you can allow a new admin the ability to reset passwords but not allow them to create accounts or join new workstations to the domain.
actually the user is a domain admin but the problem is he cannot perform admin priviledges like a local admin on the workstation only the domain admin called "administrator" can do this to simplify it:
I opened a user in my domain and called it "admin" then add this admin to the domain admins group after this I logged in into a client machine in the domain with this user called "admin" but I cant install softwares or change the network settings, so this user is not added automaticaly to the local administrators group and I have to add it manualy on each computer.
Last edited by harvesterofdata; April 27th, 2007 at 05:03 PM.
-
April 27th, 2007, 05:36 PM
#4
By default, the domain admin group added to the local administrator group when you you join the workstation to the domain. Is this happening in your environment? It doesn't sound like it... Either that, or the changes are not being replicated to the AD server that is authenticating the workstation.
Or, maybe the local admin of that workstation has removed the domain admin group from the local admin group? It's tough to say without looking at your setup.
Very strange... Can you tell me more about your AD setup? How many AD servers, sites, relation to workstation to site to AD servers, etc. Meaning, is the workstation in the same site as the AD server in which you add the user to the domain admin account? Is your replication working properly? etc.
If the domain admin account is not being added, or is being removed by someone... you can use Group Policy and configure "restricted groups". This will also prevent a user (if they have local admin privledges) from removing the domain admin group from the local admin group. You can also give certain people or groups more privledges in the OU in which the GP is enabled.
http://www.windowsecurity.com/articl...ed-Groups.html
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By novkhan in forum Operating Systems
Replies: 11
Last Post: July 1st, 2004, 05:55 PM
-
By Negative in forum Other Tutorials Forum
Replies: 2
Last Post: February 2nd, 2003, 03:14 PM
-
By smirc in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: May 13th, 2002, 03:24 AM
-
By UberC0der in forum Other Tutorials Forum
Replies: 2
Last Post: December 27th, 2001, 02:40 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|