+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 26
Windows Thread, admins and domain admins in Technical; my NM is having a thing about passwords and security. All admins are being demoted to domain admins, well thats ...
  1. #1
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    admins and domain admins

    my NM is having a thing about passwords and security. All admins are being demoted to domain admins, well thats just me and him. But I can add myself to the administrators security group at any time. how's that secure?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: admins and domain admins

    It isn't. Your NM might wish to research and test policies prior to implementation in future.

  3. #3
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: admins and domain admins

    we was just testing it on our inset day.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: admins and domain admins

    Well, what is the 'problem' he's trying to solve? Maybe we could offer an alternative technical/policy solution?

  5. #5

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,273
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412

    Re: admins and domain admins

    I presume you all use normal accounts for your every day to day operations and only use admin accounts when needed?

    Ben

  6. #6

    Join Date
    Oct 2005
    Location
    West London
    Posts
    55
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: admins and domain admins

    :? IMHO the problem exists between the network managers chair and keyboard if he wishes to 'demote' you to the highest level of access in a domain- Domain Admins group is automatically a member of every local Administrators group on every computer, including the DC...

  7. #7

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,273
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412

    Re: admins and domain admins

    Thats where I got a bit confused as to what he was trying to say actually I don't understand what they are supposedly being demoted from Enterprise Admins?

    Or from local admins to domain admins dunno didn't actually make sense.

    Ben

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: admins and domain admins

    Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.

  9. #9
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: admins and domain admins

    Quote Originally Posted by plexer
    I presume you all use normal accounts for your every day to day operations and only use admin accounts when needed?

    Ben
    that is the intended idea. pretty much everything i do requires domain admin rights, dunno about administrator

    Quote Originally Posted by Geoff
    Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.
    i didnt realise that. whats the difference between domain admins and the administrators security group then?

  10. #10
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: admins and domain admins

    Quote Originally Posted by Geoff
    Emterprise Admins can Admin all domains in a Forest. Domain Admins can only Admin a single domain in a forest. This is entirely irrelevent for most schools as most people run a single domain in a single forest on one site. So Enterprise Admins and Domain Admins are functionally equivelent.
    i didnt realise that. whats the difference between domain admins and the administrators security group then?

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: admins and domain admins

    whats the difference between domain admins and the administrators security group then
    There's three 'Administrators' security groups. Do you mean Enterprise Admins, Domain Admins, or Administrators? It also depends on context. Do you mean on a member server/client or a Domain controller?

  12. #12
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: admins and domain admins

    actually thats the least of my worries, i was just to make sense of policies being implemented over my head

    trying to enable "password must meet complexity requirements" in group policy but its not working. not sure where im going wrong.

    will try to explain what i've done
    created a test OU with the attached normal staff policy
    added another test policy which will contain the alterations im trying
    created a test user in the test OU

    enabled password complexity and minimum password length
    in computer config/windows settings/security settings/account policies/password policy and loopback to force it to apply the computer settings to the user account

    should work, but lets me put anything as the password.

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: admins and domain admins

    Password complexity requirements have to be set in a GPO that applies to Domain controllers as its DC's that enforce the complexity requirements not the client PC/User. Typically this is done in the 'Default Domain Controller' GPO.

  14. #14
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: admins and domain admins

    ohhhhh surely that means it either applies to everyone or no-one...

  15. #15

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,273
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412

    Re: admins and domain admins

    Absolutely password policies do exactly that.

    You can only have one in the domain.

    Ben

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 16
    Last Post: 3rd December 2007, 08:08 PM
  2. USB devices for non-admins
    By eejit in forum Windows
    Replies: 46
    Last Post: 15th November 2007, 03:50 PM
  3. Know your UNIX admins
    By ITWombat in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 9th April 2007, 04:36 PM
  4. Local admins and Mandatory Profiles
    By Bobo in forum Windows
    Replies: 21
    Last Post: 2nd April 2007, 03:02 PM
  5. Replies: 6
    Last Post: 22nd February 2007, 07:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •