Answer the question
In order to leave comments, you need to log in
What policy adds the Domain Admins group to the local Administrators group?
Once upon a time in one video I found the answer, but today I could not find it.
I saw exactly that this happens by policy, but I don’t remember local or group.
Please remind me.
The Domain Admins group has the SID: S-1-5-21domain-512, the policy adds this SID to the local Admins group.
Answer the question
In order to leave comments, you need to log in
Got a response from the author of the video.
He pointed out that I mixed up the default behavior and the addition of the Restricted Groups policy that was mentioned in that video.
By default, a computer joined to AD, at the computer account level, adds the "Domain Admins" group from AD to the group of local administrators and does it once. If the "Domain Admins" group is removed from the local administrators group, the first one will no longer appear in the second one.
The Domain Admin group is by default included in the Adminstrations group on computers. If I don't confuse anything.
Computer Configuration\Settings\Control Panel Settings/Local Users and Groups
in general, this is a fundamental principle of membership in AD - a domain member computer cannot but obey domain administrators
IMHO this can be even deeper than politics. if you want to get a domain member computer that doesn't obey domain admins ... well.. in passing .. so to speak..
pps my experience is obviously outdated . but perhaps the comments have value))
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question