question

KevinDietz-7161 avatar image
0 Votes"
KevinDietz-7161 asked DSPatrick answered

Should my Domain Administrators group be added to the windows 10 local admin group?

Is there a justification to add the domain admins group into the local Windows 10 administrators group. There seems to be a risk here or at least one risk anyway with adding these elevated accounts. We have the local administrator account enabled and are using LAPS to manage the password. We do have a desktop support account added to this group to manage the desktop.

windows-10-setup
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer.
If no, please reply and tell us the current situation to provide further help

Best Regards,

0 Votes 0 ·

Hi,
As this thread has been quiet for a while,
Does this question have any update?
If you have any questions or concerns about it, please don't hesitate to let us know.
Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

By default the domain admin is a member of the local administrator's group but you're correct, it doesn't have to be if that's your administration workflow.

Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

--please don't forget to Accept as answer if the reply is helpful--








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Domain Administrators group is added to the local administators group on all the workstations and member servers by default.
You can try to Secure Domain Admins Groups in Active Directory by following ways:
Remove all members from the group, with the possible exception of the built-in Administrator account for the domain, provided it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

In GPOs linked to OUs containing member servers and workstations in each domain, the DA group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments:

Deny access to this computer from the network

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through Remote Desktop Services user rights

Auditing should be configured to send alerts if any modifications are made to the properties or membership of the Domain Admins group.

To do this step by step, you can refer to:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.