The Missing Link in Windows’ Group Hierarchy

There are many administrative groups in a Windows network. Every Windows NT-based machine has an Administrators group (i.e., the SAM) in its local user database to manage that computer. In addition, there are administrative groups in the domain database (i.e., the Active Directory—AD—database) to manage the domain. These groups include the Administrators, Domain Admins, and Enterprise Admins groups. When a Windows NT-based computer group joins an AD domain, the Domain Admins group is added to the local Administrators group of that machine. Hence, the members of the Domain Admins group gain the necessary rights on that machine.

Domain Admins group members have the rights to manage all the computers in a domain, including domain controllers (DCs) and client computers. The Administrators group in the AD database has the rights to manage DCs. The Enterprise Admins group has some forestwide rights. What's missing is a group that can't manage DCs and other crucial servers but can manage the rest of the computers.

At our company, we frequently need a group to manage client computers but not crucial servers. Although there is no such built-in group, a good systems engineer can create one. We found two ways to do so. To illustrate these approaches, let's say we want to create a group that contains technicians who will be responsible for managing client computers but not crucial servers.

The first approach is to create group that has an appropriate name such as Technicians and add the technicians to it. After you create this group, you need to create an organizational unit (OU) that contains the client computers. In that OU, you need to restrict the membership of the Administrators group by using the Restricted Groups policy. The Administrators group should contain only the Technicians group and the local administrator account. By doing so, the members of the Technicians group become the administrators of the client computers.

Although this approach works, it has a drawback. An AD quota prevents ordinary users from adding more than 10 computer accounts to the domain. The members of the technicians group are ordinary users, except that they're the administrators of the client computers. Thus, the technicians can't add more than 10 computer accounts to the domain.

The second approach isn't intuitive, but it avoids the AD quota problem. You add the technicians to the Domain Admins group, then remove Domain Admins group from the Administrators group in AD and from the Administrators group of every crucial server. By doing so, the technicians become the administrators of only the client computers. The technicians can add any number of computer accounts to the domain because they belong to the Domain Admins group.

Both of these approaches work. The approach that works best for you will depend on your environment.

—Murat Yildirimoglu and Ugur Duman

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.