AD Local Admins Question

[Grentz]

Ok, here is the situation.

Currently there is a very small business that is using a domain. They really do not NEED a domain as they use none of the features of it currently, they really just have it so that they can use Trend Antivirus SMB Edition.

Currently everyone is setup as Domain Users and Domain Admins (not a problem cause there is nothing they can modify to cause trouble anyways and they all only use their own machine). The reason they are Domain Admins is because the accounting software they use requires admin privlages on the machines and shares, and it just ended up being easier that way I guess

My job is to try and get it back to a normal domain environment so that they can have private shared folders on the server (something they cannot do currently considering they are all admins). I believe all this will require is making everyone Local Administrators on their machines and then removing them from the Domain Admin group.


So my question is, is there a way to have their accounts become Local Administrators through the DC with a policy or script or something so I do not have to go around to each machine and manually make them Local Administrators?

Any help would be much appreciated, I have searched google, but the few things I have found have been way over my head. None of the "Are you qualified" business either...I am not really qualified with AD, but I am with the rest of the IT stuff. It is a VERY simple setup they are going for here though so I am comfortable enough to use AD for this situation. I just need to figure out how to make them all Local Admins without going around from machine to machine!

Thanks in advance for any help!

 

[Keiichi]

Do you want everyone to be a local admin for everyone's machine or just the main user of that machine?
To be honest the best way of doing it is to go around one by one and setting just the main user as the local admin of the PC. There really isn't a batch way of doing this but what you can do is push an RDP GPO to enable RDP for domain admins and you can just do it manually through RDP without having to go to each workstation physically.

 

[Grentz]

Do you want everyone to be a local admin for everyone's machine or just the main user of that machine?

Just on their own machine, they only login to their own machine as well if that makes a difference (there are no group terminals that everyone uses and logs onto for example).

 

[StarTrek4U]

What we do which makes it only a pain the first time is to create an AD group called "Workstation Admins" or something. Then add everyone into that group, and make that group part of the Administrators group on each PC. Then they are a local Admin, but not a domain admin. The only pain is adding that group the first time through. After that you should be set.

 

[Demon10000]

What we do which makes it only a pain the first time is to create an AD group called "Workstation Admins" or something. Then add everyone into that group, and make that group part of the Administrators group on each PC. Then they are a local Admin, but not a domain admin. The only pain is adding that group the first time through. After that you should be set.

That would work, but it would make every user an Admin of every machine, and I don't think that is what he's looking for. If it is, then it would be easy to add a domain policy to force a group into the local administrators group -- barely any administration at all. It would probably take more time getting everyone into that group than it would getting it to all the machines, assuming AD was functioning properly and group policies are being applied correctly.

I don't believe there is an easy way to add a user to the local administrators group on their workstation "after the fact". You could write a script that went out and added the user to the local administrators group, but you would need to assign people workstations and make a lookup table for your script.

If you've got something already associating the user with the machine it might be easier. Given your current security model of "everyone is a domain admin", I would quickly jump on taking that away and making everyone an Administrator on every workstation -- worry about cleaning that one up later, just get that domain admin access away from them. File shares are the least of your problem at the moment!

 

[DeaconFrost]

I do it the old fashioned way, I guess. My image that I push out has the PC only in a workgroup. All I need to do is join the domain, and then I add the user to the local admin group before I reboot the system once. Then I just need to set up their Outlook profile, and deliver the computer.

 

[Grentz]

First off thx for the answers guys, it helps a lot!

That would work, but it would make every user an Admin of every machine, and I don't think that is what he's looking for. If it is, then it would be easy to add a domain policy to force a group into the local administrators group -- barely any administration at all. It would probably take more time getting everyone into that group than it would getting it to all the machines, assuming AD was functioning properly and group policies are being applied correctly.

Actually that would work as they are already only using their own machine. They are almost all laptops that the people use as their personal machines and the desktops are still peoples personal machines. Could you explain how or do you have any links to a good guide on how to do what you are talking about?

I know currently there is a simple policy in place that sets things like their IE homepage, and that is the only thing currently in place. Like I said it is pretty much a default install that was put in place just to run their accounting software and trend antivirus. It has been working fine for years, but I would just like to get them to not be domain admins! (O, and this is not all on me, they were all users but the accounting software company made everyone domain admins for their software to work (they have access to the server as well since they have a maintenance contract with the company, and I am just an outside IT guy anyways).

If you've got something already associating the user with the machine it might be easier. Given your current security model of "everyone is a domain admin", I would quickly jump on taking that away and making everyone an Administrator on every workstation -- worry about cleaning that one up later, just get that domain admin access away from them. File shares are the least of your problem at the moment!

Agreed, I really do want them to not be domain admins anymore! That is why I am here. So far there has been nothing that they could screw up as there is nothing really in place, but in the future I (and they) would like some control.

 

[Demon10000]

I would create a group, maybe col_LocalAdministrators or something like that. Then write yourself a VBScript that adds that group to the local administrators group on a workstation. Then go into your policy editor and add this group as a startup script for the computers.

You could also create script to query your domain for computers and use WMI to connect to them and add the group to each one. This is probably not the best way because it's a one time shot -- if machines are offline (laptops, powered off, etc) they're not going to get it. Using a policy to set a startup script makes sure you get every machine every time they start up.

 

[Keiichi]

Actually that would work as they are already only using their own machine. They are almost all laptops that the people use as their personal machines and the desktops are still peoples personal machines. Could you explain how or do you have any links to a good guide on how to do what you are talking about?

Basically you need to implement Restricted groups at the proper OU level which would probably be at the Domain.

Long Winded Microsoft explanation:
http://support.microsoft.com/kb/810076

Short Version:
To use restricted groups:
Open Active Directory Users and Computers.
Browse to the OU that will contain the computer account objects
Open "Properties"
Select the Group Policy Tab
Create a new Group Policy Object
Edit the new object
In the Group Policy MMC, browse to:
Computer Configuration/Windows Settings/Security Settings/Restricted Groups
Right-Click and choose "Add Group"
The group name you enter will be the group that is restricted (Administrators)
Select the group and choose the allowed members.
Using Restricted Groups for the above example:

Specify "Administrator", and your administration group to the Administrators restricted group settings

This will give anyone in that restricted group Local Admin rights to the workstations.

 

[swatbat]

Currently everyone is setup as Domain Users and Domain Admins (not a problem cause there is nothing they can modify to cause trouble anyways and they all only use their own machine). The reason they are Domain Admins is because the accounting software they use requires admin privlages on the machines and shares, and it just ended up being easier that way I guess

I just walked into a new clients today where they did this shit. Anyway you can do it via a GPO but in all reality I would just walk to each machine and do it in a small setup. Would take no time at all. Generaly you should be safe setting domain users as admins on the stations or just apply the single user as an admin on them.

After that you can remove the users from the domain admins group on the server. Make sure they are not in enterprise admins, and other groups they don't need to be as well(in case someone just copied the administrator account).

How many users we talking about and what version of windows are they running?

 

[Grentz]

How many users we talking about and what version of windows are they running?

Sitting at around 18 stations (so 18 users), not big by any means. It is a mix of 2000 and XP. The server is 2k3.

The reason it would be nice to do a policy is not all the machines are there at the same time usually (laptops out on the road and such) and they do not have an IT dept...we are their IT (and we are a consultant and thus not there often, except when they need us).

 

[StarTrek4U]

Actually that would work as they are already only using their own machine. They are almost all laptops that the people use as their personal machines and the desktops are still peoples personal machines. Could you explain how or do you have any links to a good guide on how to do what you are talking about?

It's actually quite simple. Open AD Users and Computers and create a new Security Group called "Workstation Admins" (or whatever you want). Then add all your users into that group. Next (and this is the PITA part) you'll have to get onto each system and remove the user from the local admin group and add the Workstation Admins group your created. Reboot the PC and you're done!

 

[Verge]

easiest way, research accounting software and find a way for it to work w/o local admin... IMO


regular users should never have "admin" anywhere in their memberships... just going to cause more problems for you when they break stuff.

 

[Grentz]

Well none of them are local admins already, so do I still need access to each machine to do what you are talking about StarTrek4U? Also what do you mean add the Group to the machine (sorry if this sounds like a stupid Q, but like I said I am a complete noob at AD as its not what I specialize in)?

easiest way, research accounting software and find a way for it to work w/o local admin... IMO


regular users should never have "admin" anywhere in their memberships... just going to cause more problems for you when they break stuff.

Ya, I agree, but in this case that is not an option for various other reasons as well.

 

[swatbat]

easiest way, research accounting software and find a way for it to work w/o local admin... IMO


regular users should never have "admin" anywhere in their memberships... just going to cause more problems for you when they break stuff.

While I prefer not letting users have admin rights on the local systems in a small business you generaly don't have this option.

 

[LittleMe]

Why do most people think you have to walk to every workstation to add a group to the Local Administrators group? Maybe I'm lazy, or all but one of you don't know much about AD, but you don't need to walk to every computer. Group Policy is there for a reason (well, a LOT of reasons) and one of them is not having to walk to every computer. And if you don't want to use Group Policy to do it, you have Remote Desktop or VNC. If you don't have either (and don't want to remote install VNC which is easy), then grab a copy of psexec and just "psexec.exe cmd.exe \\computername". You could even automate it with a batchfile and psexec.

Edit: Just read that myself and it does sound "bitchy". Sorry, I wasn't out to offend anybody just not in a great mood. Everybody loves budget-cuts and spending freeze's at work right?

 

[Grentz]

Why do most people think you have to walk to every workstation to add a group to the Local Administrators group? Maybe I'm lazy, or all but one of you don't know much about AD, but you don't need to walk to every computer. Group Policy is there for a reason (well, a LOT of reasons) and one of them is not having to walk to every computer. And if you don't want to use Group Policy to do it, you have Remote Desktop or VNC. If you don't have either (and don't want to remote install VNC which is easy), then grab a copy of psexec and just "psexec.exe cmd.exe \\computername". You could even automate it with a batchfile and psexec.

Edit: Just read that myself and it does sound "bitchy". Sorry, I wasn't out to offend anybody just not in a great mood. Everybody loves budget-cuts and spending freeze's at work right?

Could you link me to a good article or inform me on how to do it with group policy? I have been searching and searching and never found anything close to what I want to do...usually involves a bunch of other complex stuff that it sounds like I do not even need to do!

 

[SockMan!]

Here at work, we have some programs require local administrator access but only for one department (mostly). So we add a security group to the local administrators group on each computer that they need access to. That way we don't have to manually set new employees as local admins (just put them in the security group) and they won't have local admin access an any other computers.

 

[StarTrek4U]

Well none of them are local admins already, so do I still need access to each machine to do what you are talking about StarTrek4U? Also what do you mean add the Group to the machine (sorry if this sounds like a stupid Q, but like I said I am a complete noob at AD as its not what I specialize in).

Yes, to add the AD group you'll need to access each of the machines. If you have a domain admin account here's what I would do:
- Open computer management (Control Panel -> Admin Tools)
- At the top go to Action -> Connect to Another Computer and enter the name or IP of the PC you want to connect to (provided you know it)
- Once Connected, expand local users and groups, click on the "groups" folder, then double click on the administrators group
- Click on the Add button
- At the next screen type in the name of your AD group (make sure that the location is set from your domain and not the local PC) then click OK
- Click OK again to close the Admin group window and you're done. Now repeat for the next 17 workstations.

If you don't know or are unable to connect to those machines using the method above, you'll just have to skip the second step and do the rest while sitting at each machine. Keep in mind this won't take affect until a restart.

Hope that helps.

PS - If they're Domain Admins, they're local Admins as well

EDIT: After you've done this and verified it's working, be sure to take them out of the domain admins group and leave only one or two domain admin accounts active for management purposes.

 

[Grentz]

Yes, to add the AD group you'll need to access each of the machines. If you have a domain admin account here's what I would do:
- Open computer management (Control Panel -> Admin Tools)
- At the top go to Action -> Connect to Another Computer and enter the name or IP of the PC you want to connect to (provided you know it)
- Once Connected, expand local users and groups, click on the "groups" folder, then double click on the administrators group
- Click on the Add button
- At the next screen type in the name of your AD group (make sure that the location is set from your domain and not the local PC) then click OK
- Click OK again to close the Admin group window and you're done. Now repeat for the next 17 workstations.

If you don't know or are unable to connect to those machines using the method above, you'll just have to skip the second step and do the rest while sitting at each machine. Keep in mind this won't take affect until a restart.

Hope that helps.

PS - If they're Domain Admins, they're local Admins as well

EDIT: After you've done this and verified it's working, be sure to take them out of the domain admins group and leave only one or two domain admin accounts active for management purposes.

Ok, perfect, thx for the post. I understand that completely.

Now the only thing I am a bit fuzzy on is creating the group in the first place, any simple walkthrough for that?

Thx again for all your help! You would be shocked at how long I have been searching and how little good info I have turned up that does not just start rambling off on some tangent...

 

[Grentz]

Basically you need to implement Restricted groups at the proper OU level which would probably be at the Domain.

Long Winded Microsoft explanation:
http://support.microsoft.com/kb/810076

Short Version:
To use restricted groups:
Open Active Directory Users and Computers.
Browse to the OU that will contain the computer account objects
Open "Properties"
Select the Group Policy Tab
Create a new Group Policy Object
Edit the new object
In the Group Policy MMC, browse to:
Computer Configuration/Windows Settings/Security Settings/Restricted Groups
Right-Click and choose "Add Group"
The group name you enter will be the group that is restricted (Administrators)
Select the group and choose the allowed members.
Using Restricted Groups for the above example:

Specify "Administrator", and your administration group to the Administrators restricted group settings

This will give anyone in that restricted group Local Admin rights to the workstations.

Ok, I forgot about this post and just went through it on the server, I am cool with everything except the end:

Specify "Administrator", and your administration group to the Administrators restricted group settings

This will give anyone in that restricted group Local Admin rights to the workstations.

I was able to add the group named "Administrators" is that the local admin group? That will not give admin rights on the domain, only local admin right?

I think I am missing a step though, I have the policy made (I called it Local Admins Policy) and added the "Administrators" group to the restricted groups area of the "Local Admins Policy". But do I also need to make the group or do something else some where else? Or do I just specify the "Administrators" group on the machines?

Thx again in advance

 

[Demon10000]

EDIT
I like the restricted groups method, but I've never used that. I would definitely use that method, but mine is an alternative to that, so I won't delete the post.

Pretend your domain is a big computer that has users and groups in it, just like your computers do. If you create a group in the domain, it does nothing no matter what you call it, until you give it permissions. What you want to do is take a domain group and add it to a computers local groups. Because you are adding it to a local group, you will only be granting permissions on that local resource.

But that is only half the steps -- once you get everyone into that new group, and you get that new group created as a member of the local administrators group, you still need to remove their domain admins privs.







----my original message before the edit----
You've got two ways of going about this, and a million ways of doing each of those.

1: Make the change on each computer
2: Make the change at the domain

Now, if you're NEVER adding another computer to the domain, or never reinstalling the OS, or don't anticipate any growth or change, then you can go around to all the machines and make the change on the machines.

If you want to plan for growth and change, then you should make the change at the domain. Making the change here will make sure it is changed on every machine today, tomorrow, and every other day from here on out.

The quickest, easiest way I know of to do this at a domain level is to use a startup script. Here is how I would do it.

1. Create your domain group

1. Open Active Directory Users and Computers. Find the OU where you store you groups, right click on it and choose new, group.

2. Give it a name and save it. Something like LocalAdministrators would be fine, but that all depends on the naming conventions you've come up with.

3. Add Members to the group using the group properties in AD Users and Computers.

2. Create your startup script to add the group to the local administrators group.

1. Create a new text file named LocalAdministrators.cmd and add the following line to it.

Net LocalGroup Administrators <groupnameyoucreated> /add

2. Save it in a share where all users have rights to at least read it -- \\domain\netlogon would work.

3. Link the script to your GPO

1. Using Active Directory Users and Computers, browse to the OU where the computer objects are located.

2. Right click on the OU and choose properties. Go to the group policy tab and click new. Name the policy.

3.Click the edit button to edit the policy.

4. Open Computer Configuration > Windows Settings > Scripts and double click startup. Click the add button and enter the full path to the script you created.

Thats it.
In less time than it takes you to go around to one computer and change it, you've just changed it for every computer the next time they log into the domain. Not only that, you've also changed it for every other computer that joins the domain in the future.

 

[Keiichi]

I think I am missing a step though, I have the policy made (I called it Local Admins Policy) and added the "Administrators" group to the restricted groups area of the "Local Admins Policy". But do I also need to make the group or do something else some where else? Or do I just specify the "Administrators" group on the machines?

Just remember to link it to the OU with all the computer account objects and you're good.

 

[Grentz]

Just remember to link it to the OU with all the computer account objects and you're good.

So how do I apply it to only certain users? I noticed the "add users to this group" thing when I originally made it, but I cannot get back to that screen now that it is already made!

Edit, I see there is a "Security Filtering" area that currently only has "Authenticated Users" in it. If I were to remove authenticated users and only add the users I wanted it to apply to would that work?

 

[Grentz]

Ok, I think I have been just being an idiot, I started over again and here is what I did:

Created a new group on the "Active Directory Users and Groups" manager named "LocalAdmins".

I then went to the "Group Policy Management" and created a new Policy called "LocalAdmins Policy".

I then added the "Administrators" group as a restricted group in that policy. Finally I added the "LocalAdmins" group to "Administrators" when it popped up the dialog asking me to add Users/Groups to it after I added it to the "LocalAdmins Policy" under Restricted Groups.

So is that all right so far?

Now I just need to add the "LocalAdmins" group to the machines and finally add the users I want to have Local Admin privlages (the whole goal here!) to the "LocalAdmins" group via the "Active Directory Users and Groups" manager.

I sure hope I understood!

 

[Keiichi]

Sorry I lied for a bit, make sure the name of the restricted group is "Administrators" and that you have made new group "LocalAdminGroup" and make the "LocalAdminGroup" a member of the "Administrators" restricted group. Also add the "Domain Admins" group to the "Administrators" restricted group. (This is done to make administration easier.) Then all you would need to do is just add Domain users to the "LocalAdminGroup" and you're set.

Hopefully that clears things up.

You should be fine just leaving the security filtering alone.

Edit:

I then went to the "Group Policy Management" and created a new Policy called "LocalAdmins Policy".

Just make sure it is attached to the proper OU.

 

[Grentz]

Sorry I lied for a bit, make sure the name of the restricted group is "Administrators" and that you have made new group "LocalAdminGroup" and make the "LocalAdminGroup" a member of the "Administrators" restricted group. Also add the "Domain Admins" group to the "Administrators" restricted group. (This is done to make administration easier.) Then all you would need to do is just add Domain users to the "LocalAdminGroup" and you're set.

Hopefully that clears things up.

You should be fine just leaving the security filtering alone.

Edit:

Just make sure it is attached to the proper OU.

So substituting the names I used above, is that what I did (read my new post that I just made above)?

The only thing I did not do is add Domain Admins to the Administrators group. Would adding Domain Admins to the Administrators group give users Domain Admin privlages again though? I really do not want the users to have Domain Admin privlages or any admin privlages on the domain.

Also you say "make sure the name of the restricted group is "Administrators" " Are you talking about the group I add to the GPO "restricted groups" is "Administrators"? I never made an "Administrators" group, it just was the Built in one.

Edit: Here are screenshots of what I have done:
GPO:


Main Users screen (just added the LocalAdmins group):

 

[LittleMe]

Looking at the screenshots you just posted. You'll probably want to do some cleaning up. At least create an OU for your user accounts and another one for workstation accounts to get those accounts out of the default locations. Link the restricted group policy object to the workstations OU and you should be good.

By default the Domain Admins group and the local workstation Administrator account is part of the local computers Administrators group. If you want any user in the Domain Admins group to be a workstation admin, add the Domain Admins group into that policy well. And you'll probably want to add back the workstations BUILTIN\Administrator account.


BUILTIN\Administrator
DOMAIN\Domain Admins
DOMAIN\LocalAdmins

That's what I'd have in my policy.

Once you've verified the policy is applying correctly, remove the users from the Domain Admins group and put them into the LocalAdmins group.


Edit: Screenshot of mine

 

[Keiichi]

@Grentz:
Yep everything looks good. With adding groups to be a member of a bigger group they don't share their permissions with other group members, so you don't have to worry about the people that are exclusive to the LocalAdmin group getting the same permissions as the DomainAdmin group.

@LittleMe:
Thanks for the SS, unfortunately I can't post stuff like that due to me wanting to keep my job ^_^;;

Hope that clears things up.

 

[LittleMe]

@Grentz:
Yep everything looks good. With adding groups to be a member of a bigger group they don't share their permissions with other group members, so you don't have to worry about the people that are exclusive to the LocalAdmin group getting the same permissions as the DomainAdmin group.

@LittleMe:
Thanks for the SS, unfortunately I can't post stuff like that due to me wanting to keep my job ^_^;;

Hope that clears things up.

Not a problem. But remember, you don't have to take a SS of your production setup. Work can't control your personal sandbox! That's why User is still enabled in that policy. I'm anal about disabling it when it's not used in production, but don't care in my sandbox.

 

[Grentz]

Ok, awesome, thx for the reply guys.

So what I posted will work just fine? I do not have to add the Administrators or Domain Admins accounts to be members of that restricted group correct (only if I want to)?

Moving forward, all I have to do is add the group "LocalAdmins" to each workstation and then link that policy to the OU correct?

Thx again for all your help guys!

 

[Keiichi]

So what I posted will work just fine? I do not have to add the Administrators or Domain Admins accounts to be members of that restricted group correct (only if I want to)?

Yes

Moving forward, all I have to do is add the group "LocalAdmins" to each workstation and then link that policy to the OU correct?

No need to do that just link the localAdmin policy to your OU that ccontains all of the computer objects.

Here's what happens when a user logs into the domain.
The computer looks up userinfo in AD.
Once verified the computer gets all of the computer policies that applies to it.
Then it gets all of it's users policies that applies to the user from AD.

I know I'm missing a few things, but that's the quick and dirty version (and I ahven't had caffeine yet.) Basically when you link the policy to the group the workstation will always automagically add the group into that computer everytime a user logs into the domain.

 

[Grentz]

Yes


No need to do that just link the localAdmin policy to your OU that ccontains all of the computer objects.

Here's what happens when a user logs into the domain.
The computer looks up userinfo in AD.
Once verified the computer gets all of the computer policies that applies to it.
Then it gets all of it's users policies that applies to the user from AD.

I know I'm missing a few things, but that's the quick and dirty version (and I ahven't had caffeine yet.) Basically when you link the policy to the group the workstation will always automagically add the group into that computer everytime a user logs into the domain.

Awesome, gotta love one less step! I did not enjoy the thought of having to manually add it to each machine

So now any user in my "LocalAdmins" group will be local admins and anyone not in there will just remain how they are right now correct?

I will want to try it on a few select users, so I will leave all the others as they are setup right now (Domain Admins) while I make sure it all works out...I just want to make sure it will not screw them up



I cannot thank you guys enough!

 

[Grentz]

Ok, I have everything resolved now, it all worked out perfectly!

Thank you SOOO much everyone that responded and helped, this has been on my todo list for years and I have never found someone to help me with it that did not want $1000/hr or just plain could not describe it in simple terms...

 

[LittleMe]

Where do you want us to send our bills? I'll only charge $500hr!


But really, glad it worked out for you.

 

[Mister Natural]

You have a massive security issue on your network if you have anyone signed in as a domain admin. Anyone with those credentials can make global changes on your network, not to mention if a pc gets some sort of malware. My normal login isn't even a domain admin account. I only use it when making changes on the network, working directly on the server or accessing a computer remotely.
The only time I've seen a need to have an account setup as a domain admin is when it logs into the domain for the first time. Things seem to setup cleaner on the pc when I do it that way. As soon as I have logged in with the account I change the permission to whatever it should be.
If I were you I would as quick as possible change any users who are domain admins and make them local admins. Start doing 2 or 3 at a time and see how it goes.

 

[LittleMe]

You have a massive security issue on your network if you have anyone signed in as a domain admin. Anyone with those credentials can make global changes on your network, not to mention if a pc gets some sort of malware. My normal login isn't even a domain admin account. I only use it when making changes on the network, working directly on the server or accessing a computer remotely.
The only time I've seen a need to have an account setup as a domain admin is when it logs into the domain for the first time. Things seem to setup cleaner on the pc when I do it that way. As soon as I have logged in with the account I change the permission to whatever it should be.
If I were you I would as quick as possible change any users who are domain admins and make them local admins. Start doing 2 or 3 at a time and see how it goes.

I take it you read his first post and nothing more. This entire thread was about stopping his users from being domain admins.

Great threadcrap though.

 

[Grentz]

Where do you want us to send our bills? I'll only charge $500hr!


But really, glad it worked out for you.

lol

You have a massive security issue on your network if you have anyone signed in as a domain admin. Anyone with those credentials can make global changes on your network, not to mention if a pc gets some sort of malware. My normal login isn't even a domain admin account. I only use it when making changes on the network, working directly on the server or accessing a computer remotely.
The only time I've seen a need to have an account setup as a domain admin is when it logs into the domain for the first time. Things seem to setup cleaner on the pc when I do it that way. As soon as I have logged in with the account I change the permission to whatever it should be.
If I were you I would as quick as possible change any users who are domain admins and make them local admins. Start doing 2 or 3 at a time and see how it goes.

I take it you read his first post and nothing more. This entire thread was about stopping his users from being domain admins.

Great threadcrap though.

Correct, I already know/knew it was an issue..the whole point has been to rectify it which has now been acomplished!

 

[Mister Natural]

My apologies, sometimes I kind of glaze over threads due to time limitations.