0

I'm trying to lock down our AD domain and remove unneeded users from our Domain Admins group. I'm a Linux guy so some of this is new or different.

We are an all Mac shop so the only way for us to manage our AD is directly on the AD itself. We're setup to allow RDP into the system and I've got it locked down to a limited set of groups which should have access, but the dilemma comes from when a user tries to open the AD Users and Computers application (MMC snap-in). They're immediately presented with a dialog asking for admin credentials to allow the app to modify the system.

We're on Windows 2012 R2 Server with 2 RW DC's and an RO DC.

Any help would be great! Thanks!

Andrew
  • 2,142
  • 2
  • 19
  • 25

1 Answers1

1

You are most likely getting the prompt because you have removed them from the domain admin group and launching the application locally on the DC requires those permissions.

You really need the RSAT tools but being all Macs, that is going to be hard without a Windows VM. You might be able to try disabling UAC on the domain controller if you don't mind the security risk.

Domain users have access to read all AD objects by default, so they can open and view all objects via the ADUC console but can't make any changes until they are delegated control at the forest, domain or OU level.

Skyler Kincaid
  • 141
  • 4
  • This is what I was half expecting. I have delegated control to the users to a specific OU to help secure the Domain a bit. What's the result of just putting them in the local administrators group and not Domain Admin? That seems to let them open ADUC but what's the impact to their access rights IN the domain? – Andrew Jun 01 '16 at 14:57
  • I am guessing you aren't remoting directly into the DC then because DCs don't have a local admin group. If you are making them a local admin on a standalone server then they have admin rights only on that server and it doesn't affect the domain at all. It sounds like you have a great setup for managing a domain from Macs if you have a separate server, that isn't a DC, for managers to remote into and have permissions delegate without making users domain admins. – Skyler Kincaid Jun 01 '16 at 15:12
  • I found a groups just called "administrators". I wasn't sure what's its abilities are. It seems to let people use ADUC. I have also thought about a dedicated Windows box or VM to allow admin from as well and may need to explore that option in more seriousness. – Andrew Jun 01 '16 at 17:08
  • Here is the default description of that group: "Administrators have complete and unrestricted access to the computer/domain" That groups has the Domain Admins group in it by default. You essentially made them domain/enterprise admins again. So I am guessing you are logging directly into a DC then? – Skyler Kincaid Jun 01 '16 at 17:12
  • Yes. We are logging into a DC. So it seems that my only option is to instantiate a new system to allow the use of ADUC, is there any other option? – Andrew Jun 01 '16 at 17:15
  • I search through a few other forums and they all mentioned a Windows VM running on the Mac or on a different virtual host. You need to be able to install RSAT and you can't install RSAT on non-Windows computers. – Skyler Kincaid Jun 01 '16 at 17:20