question

manavalanR-1747 avatar image
0 Votes"
manavalanR-1747 asked FanFan-MSFT commented

How to prevent my users based on domain name

Hi all, I have one master domain controller called "domain.com" and have two child domain called "child1.domain.com" and "childtwo.domain.com" and also joined the windows 10 machine to the master domain controller "domain.com" and then i have add users on the client windows machine by choose the location "domain.com" or its child domain.

My question is, for domain based i need give promote any user from domain.com as admin role in client windows 10, same as to other sub-domain users. If any domain based admin user can't delete the other domain's admin and users.
Which mean domain based privileges.

windows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered manavalanR-1747 commented

Hi,
First of all , let make sure the difference between domain admins and enterprise admins in parent domain (root domain).

Domain Admins:
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.
Enterprise Admins (only appears in the forest root domain)
Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

So a admin in the Domain Admins: in the parent domain will not have the permission to deletes users in child domain.
But admins in the Enterprise Admins will have the full permission to controller the child domain, include delete users in child domain.
Best Regards,


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FanFan-MSFT clear definition thanks a lot, but my ultimate goal is i have one workstation windows 10 pro joined to my domain, i should add the users on client workstation choose from the parent domain as well as child domain controller users on remote desktop group on the workstation.

Now all users in parent and child domain controller will able to logon the workstation machine.

So i need to promote anyone user form both domain controller to administrator role on joined workstation. Now the problem occurs the administrator of parent domain controller can able to delete the user even through administrator of child domain controller. How i should restrict these i need an domain based authorisation.

0 Votes 0 ·
AndriyBilous avatar image
0 Votes"
AndriyBilous answered

Hello @manavalanR-1747

Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's built-in Administrators (BA) group in addition to a member of the local Administrators group on every computer that is joined to the domain. The only default member of the DA group for a domain is the Built-in Administrator account for that domain.

The DA group is a global security group located in the Users container for the domain. There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account. Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#domain-admins

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered manavalanR-1747 commented

Hi,
Based on my understanding , you want to grant a domain user local administrator permission for the domain clients, right?
If i understand correctly, you can use the group policy to set this.
Create a fresh group policy object (GPO) and link it to a Organisation Unit (containing the computers ).
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
85603-4083.jpg
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.

If i misunderstand you, please feel free to let me know.



4083.jpg (58.4 KiB)
4083.jpg (58.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @FanFan-MSFT thanks for ur reply, but my scenario is different, i have one master domain controller and two or more child domain controller are added to master by using adding domain to exits forest method.

so i have an client workstation added to the master domain name. All users in master and child domain can able to login the client workstation by added the both domain users on the "Remote Desktop Users" in client workstation.

So my question any users have admin access in the domain domain like admin.masterdomain.com can't delete the other child domain users like child.child.masterdomain.com and child2.child.masterdomain.com, here child.masterdomain.com its child domain controller.

0 Votes 0 ·
manavalanR-1747 avatar image
0 Votes"
manavalanR-1747 answered

Hi @FanFan-MSFT thanks for ur reply, but my scenario is different, i have one master domain controller and two or more child domain controller are added to master by using adding domain to exits forest method.

so i have an client workstation added to the master domain name. All users in master and child domain can able to login the client workstation by added the both domain users on the "Remote Desktop Users" in client workstation.

So my question any users have admin access in the domain domain like admin.masterdomain.com can't delete the other child domain users like child.child.masterdomain.com and child2.child.masterdomain.com, here child.masterdomain.com its child domain controller.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

manavalanR-1747 avatar image
0 Votes"
manavalanR-1747 answered FanFan-MSFT commented

@FanFan-MSFT clear definition thanks a lot, but my ultimate goal is i have one workstation windows 10 pro joined to my domain, i should add the users on client workstation choose from the parent domain as well as child domain controller users on remote desktop group on the workstation.

Now all users in parent and child domain controller will able to logon the workstation machine.

So i need to promote anyone user form both domain controller to administrator role on joined workstation. Now the problem occurs the administrator of parent domain controller can able to delete the user even through administrator of child domain controller. How i should restrict these i need an domain based authorisation.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I'm afraid we can't change the default permission for domain-admins.
Even you change the permission, ad will change them back.
If you want to promote a user as admin for workstations, you can do that through the delegation control.
Best Regards,

0 Votes 0 ·