Security permissions for Domain admins group

Home Forums Microsoft Networking and Management Services Active Directory Security permissions for Domain admins group

This topic contains 6 replies, has 5 voices, and was last updated by Avatar anonpostguy 11 years, 5 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    charlsteve
    Member
    #130393

    Hi.

    For some odd requirement, I have to give a particular security group to allow membership modification on “DomainDomain Admins” group. I went to the security of “Domain Admins” object and added my group with required privileges. But the problem here is after some time I found that changes I made are reverted back. To confirm that it is not problem with my production domain, I did the same in a fresh domain in my test lab and results are same.

    Any one knows that it is a default behavior? Please let me know if you have any thoughts. If it is default behavior, can some help me how to achieve my task?

    Thanks,
    Sitaram

    Avatar
    Garen
    Member
    #311266

    Re: Security permissions for Domain admins group

    Do a search on MSKB for “AdminSDHolder”

    Theres a built in function in AD that will strip non-default permissions from certain groups at a regular interval.

    If you want permissions to remain you need to modify the AdminSDHolder template.

    #248546

    Re: Security permissions for Domain admins group

    Yes, That’s AdminSDholder which is causing the same:

    http://support.microsoft.com/kb/232199/

    http://support.microsoft.com/kb/318180/

    Regards,

    Avatar
    charlsteve
    Member
    #295623

    Re: Security permissions for Domain admins group

    Thanks for all your help you have provided.

    I am understood the functionality of “adminSDholder” object. If I change ACLs on this objects, the same will be replicated to all protected objects, which I don’t want to happen.

    My aim to add custom ACLs for “domain admin” group only. Is there any way we can achieve this?

    Thanks,
    Sitaram

    Avatar
    guyt
    Member
    #193654

    Re: Security permissions for Domain admins group

    It will not matter. If an account has permissions to modify membership of Domain Admins group, it effectively has permissions to add himself to DA group and make himself a full DA.
    ACL-in only DA group would be similar to locking a door, giving someone the keys and showing him how to use the key. This will definitely not stop him from opening the door.

    Because you can’t exclude DAs from adminSDHolder, the only option is to enable inheritance on adminSDHolder container, but I would strongly suggest to avoid it – this is a safety mechanism that is there to protect you if someone messes up the permissions on the sensitive/administrative accounts.

    Bottom line: if someone has to modify DA group, putting his account in Domain Admins group has the same effect as letting him modify the DA group membership.
    In your place I’d go to the management and would explain the implications of something like this.

    Avatar
    anonpostguy
    Member
    #315594

    Re: Security permissions for Domain admins group

    I have a similar issue. My question is, how do I add a user to the domain admin group? I have two users that I need to be in this group. Everytime I add them, eventually their membership in the group disappears. What do I need to do to keep them in the group? Any help greatly appreciated.

    Thanks,
    Anonpostguy

    Avatar
    charlsteve
    Member
    #295629

    Re: Security permissions for Domain admins group

    Thanks guyt for your valuable suggestion. Yes, you are right that giving permissions to modify group membership and making him member of admin group has no difference.

    Hey anonpostguy,

    In my case, it is not removing users from Domain Admin group. the SD thread process only deals with ACLs and inheritance…not with group membership.

    Let me know if you need any further help.!

    Thanks,
    Sitaram.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By