Restricting / Understanding MMC permissions (Network Steve Forum)

Restricting / Understanding MMC permissions

We are new to Active Directory. I am configuring our domain joined computers to be remote managed by MMC from the domain controller. This works wonderfully so far, but I have a question.

I know that my regular users can't open mmc and connect to any of our other machines and manage them, and this is generally as it should be (more accurately, they can open MMC and attempt to connect, but the connection will fail and they generally can't even see any information, much less change anything). I know that anyone who is a member of the domain admins group can remotely manage a domain joined computer with mmc.

I guess my question is, what permissions does the Domain Admins group have that allows this? We may have occasion to grant mmc / remote management rights to certain individuals without wanting to make them domain admins, and I'd like to know where and how to do that, if it's possible.

Edited by bpoindexter 14 hours 13 minutes ago Additional info

August 8th, 2014 4:23pm

Hi,

by default, the "Domain Admins" group, will be added into the "Administrators" group of all domain-member-computers.
It's actually the membership of the "local" Admins group which grants the group members of Domain Admins the permissions to "manage" the member computer.

(Domain Admins has other privileges within the AD too, but those aren't directly relevant to your goal)

You can use AD Group Policy, to automatically add another domain group into the "local" Admin group.
Such a group (e.g. "Workstation Admins") needs to be created in AD, then, add the relevant domain user accounts into that "Workstation Admins" group.
Then, create a GPO in AD, and add the "Workstation Admins" group into the policy. Link the policy to the OU for the workstation computers, where you want these accounts (by virtue of their membership) to be admins.

An example, using Group Policy Preferences, is here:

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/2/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/3/

(there are 3 pages in the series)

For this particular question, and in general, questions relating to Group Policy, I recommend the dedicated GP forum, where GP specialists hang out :)
http://social.technet.microsoft.com/Forums/en-US/home?forum=winserver

Free Windows Admin Tool Kit Click here and download it now

August 9th, 2014 3:45am

This topic is archived. No further replies will be accepted.