No announcement yet.

Domain Admins group "lost" permissions?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admins group "lost" permissions?

    I've got an interesting problems at work. I've noticed today that members of the "Domain Admins" group can no longer do their normal roles, ie. force replication, go into c$ on DC's without being prompted for username/password, can't create in the Netlogon folder on DC's, etc.

    This also seems to be the case with "Enterprise Admins". Oddly, if you add someone into the AD "Administrators" groups they get all the normal "Domain Admins" permissions returned.

    Anyone seen this before?

    Although I'm fairly certain this can't be the issue, someone was messing about with "Restricted Groups" GPO's recently but the all were deleted. Can't see how it would be related but that's the only thing I know of that has changed recently.

    Environment: single domain forest, 3 DC's all 2003, 2000 mixed function mode (yeah I know ).

    Thanks in advance.

  • #2
    Re: Domain Admins group "lost" permissions?

    "Domain Admins" is simply a bog standard Global Security Group. There is NOTHING special about it.

    However, by default and in accordance with Microsoft's security permissions model, the Domain Admins group is by default a member of the "Administrators" Built-In Domain Local Group. THIS is where it gets its domain administration rights and permissions from. Remove the link and Domain Admins is a standard group...

    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you


    • #3
      Re: Domain Admins group "lost" permissions?

      Is the replication working as expected ? Do you have full security logs ? Does this behavior go away after rebooting a DC ? Has anyone touched recently GPOs that apply to DCs ?
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"