Home > Production Story > Domain Admin removal from Local Administrators

Domain Admin removal from Local Administrators

I was working on a lab as I do daily on my new job training. We used the “You break it, I fix it” method and for me it is the best way to go – when I fix something I remember it.

We worked on some access denied scenarios and one of them involved the removal of the Domain Administrator account from the Local Administrators group on a 2003 Server. By removing the Domain Admin credentials from the Local Administrators group we expected our application to fail access to shares as we also removed the Everyone share permission.

The trick worked as planed but the guy who broke my lab forgot one little details – My RDP session used the same Domain Admin account and I lost the ability to get on that server. Lucky enough he did remember to get a local Administrator account ready to use and though I failed fixing the lab (due to lack of access) we could log in and roll back the changes.

If you asked yourself why the removal of Domain Admin account from the local Administrators group broke my RDP, you should dive into the default permissions (Windows 2003 Server in this case but all across the board). By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the DCs. The removal of this group either manually or via Group Policy will also remove the automatic remote access permissions. Make sure you remember this chain reaction before you implement such policy in your production environment 🙂

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: