Remove domain admins from local admins group on specific servers

Guest · Oct 21, 2005

Hi

I have a few servers in an OU in which I want to assign full control only to
a specific group other than domain admins. If I remove the domain admins
group from the local admins group on these servers :

1. will that prevent all domain admins from logging on to these machines.

2. can they (the domain admins) then seize control of these servers and add
themselves back into the local admins groups (on these machines).

Thanks.

Danny Sanders · Oct 21, 2005

Actually you don't restrict the domain admin you restrict who you add to the
group.

One of the main criteria for being a domain admin is trust. If you can't
trust them they don't need to be a domain admin.

If you could remove them, they as domain admins can undo what ever you can
do as a domain admin.

hth
DDS W 2k MVP MCSE

Guest · Oct 21, 2005

Thanks for your reply, Here is the scenario,

I have delegated full control of an OU under the main domain to a group.
This group has full control over all servers in that OU only but are not
domain admins. This group is also part of the local admins group on all the
servers within that OU only. If one of these users removed the domain admins
group from the local administrators group on one of these servers, will a
domain admin still be able to logon to these servers? Also if they can I
assume they will be able to add themselves back into the local admins group
on the said servers as well.

Thanks

Danny Sanders · Oct 21, 2005

Are we talking about DCs or member servers?

DDS

RA said:
Thanks for your reply, Here is the scenario,

I have delegated full control of an OU under the main domain to a group.
This group has full control over all servers in that OU only but are not
domain admins. This group is also part of the local admins group on all
the
servers within that OU only. If one of these users removed the domain
admins
group from the local administrators group on one of these servers, will a
domain admin still be able to logon to these servers? Also if they can I
assume they will be able to add themselves back into the local admins
group
on the said servers as well.

Thanks

Guest · Oct 21, 2005

They are all member servers.

Danny Sanders said:
Are we talking about DCs or member servers?

DDS

Danny Sanders · Oct 21, 2005

To make sure the domain admin stays in the local admin group on those
servers See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555026

hth
DDS W 2k MVP MCSE

Guest · Oct 21, 2005

Cool thanks a lot!

Danny Sanders said:
To make sure the domain admin stays in the local admin group on those
servers See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555026

hth
DDS W 2k MVP MCSE

Remove Domain Admins ability from "Delegation Of Control"	5	Dec 21, 2005
Domain Admins Group?	7	Mar 2, 2004
Unable to prevent OU deletion by Domain Admins?	8	Nov 1, 2004
Unable to prevent OU deletion by Domain Admins?	2	Nov 1, 2004
Local Admins via GPO?	1	Oct 26, 2004
Prevent some Domain Admin Account from creating USERS, Groups, OUs	2	Jan 4, 2008
Change Default Groups added to Local Administrator group when joiningdomain.	1	Mar 29, 2006
Domain users Log on Locally	1	Oct 28, 2003

Remove domain admins from local admins group on specific servers

Guest

Danny Sanders

Guest

Danny Sanders

Guest

Danny Sanders

Guest

Ask a Question

Similar Threads