Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, September 15, 2014 4:50 PM
We have a new Windows Server 2012 R2 set of servers.
The administrator account is in the domain admins group, it's called site-admin, it's also in the Administrators group.
The site-admin user is also a member of Domain Users group, is it safe to remove site-admin from the Domain Users group??
We don't need this particular user to be affected by Domain Users policies and the like...
Does the site-admin user, being an Administrator, have the ability to remove itself from the Domain Users group??
Thank you, Tom
All replies (9)
Monday, September 15, 2014 8:11 PM ✅Answered
> I do not know how or why the site-admin account got put into domain users
it is default behavior. When you create an account, it is automatically added to Domain Users group.
> if it's okay to remove this specific one user from the domain users group/container
if my previous answer is not enough, then you can do it but at your own risk.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Wednesday, September 24, 2014 2:06 AM ✅Answered
"Does the site-admin user, being an Administrator, have the ability to remove itself from the Domain Users group??"
Yes.
But I've never seen it recommended by Microsoft or anywhere else.
In fact, it is not typical to remove admin accounts from the domain users group.
Admin accounts (even though this might not seem necessary because of their extra "powers") have been added to the domain users group since Active Directory version Windows 2000. It is not an error or bug.
Is this the default domain administrator account that might have been renamed?
As Vadims already stated, you would do this at your own risk, since it is not a scenario tested by Microsoft (removing admin accounts from the domain users group that is - MS must put them there for a reason).
An example of a possible problem was already given: in some cases, permissions are assigned to the domain users group. Apparently if you deal with certificates.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Monday, September 15, 2014 6:53 PM
> The site-admin user is also a member of Domain Users group, is it safe to remove site-admin from the Domain Users group??
this does not make any sense.
> We don't need this particular user to be affected by Domain Users policies and the like...
in this case, you should move administrators to a separate OU, which is not affected by a user policy. That is, restricted user policies should be applied to an OU that contains target users. Other user accounts should be placed in a separate OU.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Monday, September 15, 2014 7:03 PM
> The site-admin user is also a member of Domain Users group, is it safe to remove site-admin from the Domain Users group??
this does not make any sense.
> We don't need this particular user to be affected by Domain Users policies and the like...
in this case, you should move administrators to a separate OU, which is not affected by a user policy. That is, restricted user policies should be applied to an OU that contains target users. Other user accounts should be placed in a separate OU.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
It makes perfect sense that we don't want the site-admin user to be affected by policies that should apply only to 'domain users' which are 'standard users,' not administrators.
Monday, September 15, 2014 7:22 PM
as I said, as per best practices (GPO planning) it is recommended to split users by OU and apply policies to relevant OUs. Otherwise, you may expect random issues, where permissions are assigned directly to domain users. For example, certificate templates.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Monday, September 15, 2014 7:24 PM
We already have OUs and whatnot...
I do not know how or why the site-admin account got put into domain users, my specific question is if it's okay to remove this specific one user from the domain users group/container. It is already in the Administrators and Domain Admins groups/containers.
Tuesday, September 23, 2014 3:39 PM
Hi Tlyczko2,
I’m writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support
Tuesday, September 23, 2014 3:52 PM
It should be to ok remove admin users from domain users. But like Vadmins said, However if you have used the domain users group to assign policies and permissions that may be relevant to the administrator account, it may have an unexpected impact.
If you do remove it and you have problems simply put the user back in to the group.
Technically though there is no reason as far as i am aware that administrator account has to be in the domain users group. The domain users group is not a special group in that way.
Friday, September 26, 2014 11:13 PM
Besides what I wrote above, I had to think about the consequences of such an operation and was reminded of something:
"It makes perfect sense that we don't want the site-admin user to be affected by policies that should apply only to 'domain users' which are 'standard users,' not administrators."
Remember: domain policies will still apply to (domain) administrators.
Domain policies apply to all "authenticated users" in the domain.
Removing domain admins from the domain users group will not prevent policy from applying.
Membership in the "Domain Users" group does not govern application of group policy but rather membership in the "Authenticated Users" group.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.