admins and domain admins

[browolf]

my NM is having a thing about passwords and security. All admins are being demoted to domain admins, well thats just me and him. But I can add myself to the administrators security group at any time. how's that secure?

[Geoff]

It isn't. Your NM might wish to research and test policies prior to implementation in future.

[browolf]

we was just testing it on our inset day.

[Geoff]

Well, what is the 'problem' he's trying to solve? Maybe we could offer an alternative technical/policy solution?

[plexer]

I presume you all use normal accounts for your every day to day operations and only use admin accounts when needed?

Ben

[IanB]

:? IMHO the problem exists between the network managers chair and keyboard if he wishes to 'demote' you to the highest level of access in a domain- Domain Admins group is automatically a member of every local Administrators group on every computer, including the DC...

[plexer]

Thats where I got a bit confused as to what he was trying to say actually I don't understand what they are supposedly being demoted from Enterprise Admins?

Or from local admins to domain admins dunno didn't actually make sense.

Ben

[Geoff]

Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.

[browolf]

Quote:

Originally Posted by plexer

I presume you all use normal accounts for your every day to day operations and only use admin accounts when needed?

Ben

that is the intended idea. pretty much everything i do requires domain admin rights, dunno about administrator

Quote:

Originally Posted by Geoff

Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.

i didnt realise that. whats the difference between domain admins and the administrators security group then?

[browolf]

Quote:

Originally Posted by Geoff

Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.

i didnt realise that. whats the difference between domain admins and the administrators security group then?

[Geoff]

Quote:

whats the difference between domain admins and the administrators security group then

There's three 'Administrators' security groups. Do you mean Enterprise Admins, Domain Admins, or Administrators? It also depends on context. Do you mean on a member server/client or a Domain controller?

[browolf]

actually thats the least of my worries, i was just to make sense of policies being implemented over my head

trying to enable "password must meet complexity requirements" in group policy but its not working. not sure where im going wrong.

will try to explain what i've done
created a test OU with the attached normal staff policy
added another test policy which will contain the alterations im trying
created a test user in the test OU

enabled password complexity and minimum password length
in computer config/windows settings/security settings/account policies/password policy and loopback to force it to apply the computer settings to the user account

should work, but lets me put anything as the password.

[Geoff]

Password complexity requirements have to be set in a GPO that applies to Domain controllers as its DC's that enforce the complexity requirements not the client PC/User. Typically this is done in the 'Default Domain Controller' GPO.

[browolf]

ohhhhh surely that means it either applies to everyone or no-one...

[plexer]

Absolutely password policies do exactly that.

You can only have one in the domain.

Ben