No not at all, I find it perfectly acceptable to use a 100lbs sledgehammer to work on the balance wheel in a priceless antique watch or to use a nuclear device to take out one person in the middle of a packed Rose Bowl.
Yes, this is obviously a bit too much permission to give out to get admin rights to machines other than DCs. :o) If someone says they need domain admin for anything, my first question is why. No one has ever gotten past that point with me when I held the keys. I have been told that by AV people, Tivoli/Monitoring people, software delivery people, and other people and every single one of them get a response back of fix their app or find another way. Unfortunately, MS automatically populates Domain Admins and doesn't allow that to be configured. Of course you can use a GPO but that is just using another tech to crutch the lack in the original implementation which is happening a lot already (i.e. confidentiality bit, et al). The proper answer is to create some other group and populate the machines with that group that you want to give out admins rights to the members of that group. This can be done before or after the machine is a member of the domain. Either through GPOs or by adding the group directly when you build the machine or add it to the domain. My lg commandline tool will allow you to specify a group be added to a machine prior to it being added to a domain as long as it can resolve the domain SIDs needed. Honestly I wonder if we have passed the time when domain admin has exceeded its useful life. In all but the smallest implementations it probably isn't likely the domain admin designees are actually responsible for working on all machines in the domain. Maybe remove it from all products but SBS. That would certainly force crap app makers to find something else to do to work on the next rev of the OS. They won't just be able to say, make the service account a domain admin. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 4:47 AM To: [email protected] Subject: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: [email protected] Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick > > From: "Ibarra, Juan" <[EMAIL PROTECTED]> > Date: 2005/06/27 Mon AM 11:24:58 EDT > To: <[email protected]> > Subject: [ActiveDir] Domain Admins Group Membership > > Hi, > > > > I need to add certain users from domain B, Win 2000 Domain, to the > Domain Admins group of Domain A, Windows 2003 Domain. There is a two > way trust between the two domains; however, I don't seem to find the way > to do this. I am able to add users to shares but not the group. > > > How could I accomplish this? > > > > Thanks, > > Juan > > > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
