|
| |||||||||
| Tags: admins, group, joining |
Sponsored Links
Joining a computer to the "Domain Admins" group
Active Directory
 |
| | Thread Tools | Search this Thread |
|
| |||||||||
| Tags: admins, group, joining |
|
| | Thread Tools | Search this Thread |
|
#1
27-02-2009
| |||
| |||
| Joining a computer to the "Domain Admins" group
Hi, I am currently installing System Center Configuration Manager and I found a description where they suggested to add the SCCM_Server to the Active Directory "Domain Admins" group. I am wondering about which effects in generall this activity has? Are all the local users on this computer then domain admins? Thanks in Advance, Berni  |
|
#2
01-03-2009
| |||
| |||
| RE: Joining a computer to the "Domain Admins" group
Hi Berni Not by any book, but the local logged on operators to the SC box could make use of the additional privilages. I suggest reading http://go.microsoft.com/fwlink/?LinkId=17926 with regards to restriction of elevatable privilages and also set the Dont ever want to allow the "Enable computers and users for trusted delegation" security option in group policy, by default it is not configured/defined, I will in this case define it with not allowable users and set that via an AD GPO for this 1 server, link the olicy to the domain, but under the GPO console, use the delegation to remove authenticated users and only add the computer name as allowable, and be sure to check under the advanced tab before applying Enjoy-- Garry Starck MCSE 2003 Messaging MCDBA "berni" wrote: > Hi, > > I am currently installing System Center Configuration Manager and I found a > description where they suggested to add the SCCM_Server to the Active > Directory "Domain Admins" group. > > I am wondering about which effects in generall this activity has? > Are all the local users on this computer then domain admins? > > Thanks in Advance, > Berni > > |
|
#3
01-03-2009
| |||
| |||
| Re: Joining a computer to the "Domain Admins" group
Berni, berni wrote: > I am currently installing System Center Configuration Manager and I found a > description where they suggested to add the SCCM_Server to the Active > Directory "Domain Admins" group. > > I am wondering about which effects in generall this activity has? > Are all the local users on this computer then domain admins? Using a service account that has domain admin rights is a bad idea. I guess the SCCM_Server account is used to push software and the like. I suspect it doesn't really need domain admin rights but certain permissions on client machines. A Domain Admin is the owner of the domain - you certainly don't want that. Cheers, Florian -- Microsoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste |
|
#4
01-03-2009
| |||
| |||
| Re: Joining a computer to the "Domain Admins" group
Hello berni, Follow this posting down to the part where "Wally MSFT" answeres: http://social.technet.microsoft.com/...94b442db9cee/# At least the machine account has to be member of the built-in administrators group. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi, > > I am currently installing System Center Configuration Manager and I > found a description where they suggested to add the SCCM_Server to the > Active Directory "Domain Admins" group. > > I am wondering about which effects in generall this activity has? Are > all the local users on this computer then domain admins? > > Thanks in Advance, > Berni |
|
#5
02-03-2009
| |||
| |||
| Re: Joining a computer to the "Domain Admins" group
Hi I don't think that is necessary. Those perm would eventually needed to allow the server to create the System Management container and extend the schema, but you can do it manually. In the schema master: -Install Windows Server Support Tools. With adsiedit.msc connect to domain container -Manually create the "System Management" Container under CN=System... (The System Management is case sensitive). -Give full perm to the server on the "System Management" container and all child objects. -Extend Active Directory's schema using extadsch.exe tool. -Additionally you may have to set the SPN for the SQL server. That will depend in how did you deployed the SQL server. -- I hope that the information above helps you. Have a Nice day. Jorge Silva MVP Directory Services "berni" <berni@discussions.microsoft.com> wrote in message news:CA57D605-C638-48B8-8980-1F3C59DBE91D@microsoft.com... > Hi, > > I am currently installing System Center Configuration Manager and I found > a > description where they suggested to add the SCCM_Server to the Active > Directory "Domain Admins" group. > > I am wondering about which effects in generall this activity has? > Are all the local users on this computer then domain admins? > > Thanks in Advance, > Berni > > |
|
|
| Thread Tools | Search this Thread |
| |
Similar Threads for: "Joining a computer to the "Domain Admins" group" | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Creating "custom named" cloned group of "Domain Admins" | Jon K | Active Directory | 2 | 15-11-2011 02:38 AM |
| How to add security group to bulk computer object's ACL for joining to domain | Sudheep PA | Active Directory | 1 | 21-04-2011 01:36 PM |
| Why AD objects created always have the "domain admins" as owner ? | Eric | Active Directory | 1 | 18-02-2010 11:13 PM |
| "The Network Path Was Not Found" (joining domain) | hozzie | Windows Server Help | 6 | 06-07-2009 11:39 PM |
| GPO Delegation "Apply Group Policy" deny for Domain admins does notwork? | Ryan | Small Business Server | 4 | 27-06-2008 04:59 PM |
