Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


Return to article

The Missing Link in Windows’ Group Hierarchy
From the July 2006 Edition
of Windows IT Pro
June 28, 2006
Readers
Reader to Reader
InstantDoc #50022
Windows IT Pro
 

There are many administrative groups in a Windows network. Every Windows NT-based machine has an Administrators group (i.e., the SAM) in its local user database to manage that computer. In addition, there are administrative groups in the domain database (i.e., the Active Directory—AD—database) to manage the domain. These groups include the Administrators, Domain Admins, and Enterprise Admins groups. When a Windows NT-based computer group joins an AD domain, the Domain Admins group is added to the local Administrators group of that machine. Hence, the members of the Domain Admins group gain the necessary rights on that machine.

Domain Admins group members have the rights to manage all the computers in a domain, including domain controllers (DCs) and client computers. The Administrators group in the AD database has the rights to manage DCs. The Enterprise Admins group has some forestwide rights. What's missing is a group that can't manage DCs and other crucial servers but can manage the rest of the computers.

At our company, we frequently need a group to manage client computers but not crucial servers. Although there is no such built-in group, a good systems engineer can create one. We found two ways to do so. To illustrate these approaches, let's say we want to create a group that contains technicians who will be responsible for managing client computers but not crucial servers.

The first approach is to create group that has an appropriate name such as Technicians and add the technicians to it. After you create this group, you need to create an organizational unit (OU) that contains the client computers. In that OU, you need to restrict the membership of the Administrators group by using the Restricted Groups policy. The Administrators group should contain only the Technicians group and the local administrator account. By doing so, the members of the Technicians group become the administrators of the client computers.

Although this approach works, it has a drawback. An AD quota prevents ordinary users from adding more than 10 computer accounts to the domain. The members of the technicians group are ordinary users, except that they're the administrators of the client computers. Thus, the technicians can't add more than 10 computer accounts to the domain.

The second approach isn't intuitive, but it avoids the AD quota problem. You add the technicians to the Domain Admins group, then remove Domain Admins group from the Administrators group in AD and from the Administrators group of every crucial server. By doing so, the technicians become the administrators of only the client computers. The technicians can add any number of computer accounts to the domain because they belong to the Domain Admins group.

Both of these approaches work. The approach that works best for you will depend on your environment.

—Murat Yildirimoglu and Ugur Duman







Reader Comments

I would like to point out that users that are granted the Create Computer Objects permission on the Active Directory container where the computers reside are not restricted to the 10 computer limit. Option 1, as described in this article, is a much better method for creating a group to manage the computers within your AD structure and not grant them Domain Admin privilages. Creating the restricted group and then delegating the proper authority over the OU that contains your computer accounts will work just fine without any drawbacks.

Daniel -July 13, 2006

Putting the users in Domain Admins group, then removing permissions from the Domain Admins group is NOT a good solution in my opinion. What do you do with the users that NEED full Domain Admins rights? Create a new group for them and assign that new group all the rights they need? You might as well have done that in the first place when creating the group to manage the client computers... The Delegation of Authority option was given to you for a reason...use it.

zixster -August 07, 2006

dear zixster, Quotas and permissions are two different animals. Take the file permissions and disk quota for example. You can have NTFS write permission on a certain disk but if there is a disk quota restricting the disk usage to only 100 MB, you can create files only up to 100 MB. Permissions do not help us overcome the quota restrictions. Murat Yildirimoglu

muraty -September 06, 2006

ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement