I'm trying to lock down our AD domain and remove unneeded users from our Domain Admins group. I'm a Linux guy so some of this is new or different.
We are an all Mac shop so the only way for us to manage our AD is directly on the AD itself. We're setup to allow RDP into the system and I've got it locked down to a limited set of groups which should have access, but the dilemma comes from when a user tries to open the AD Users and Computers application (MMC snap-in). They're immediately presented with a dialog asking for admin credentials to allow the app to modify the system.
We're on Windows 2012 R2 Server with 2 RW DC's and an RO DC.
Any help would be great! Thanks!
Best Answer
You are most likely getting the prompt because you have removed them from the domain admin group and launching the application locally on the DC requires those permissions.
You really need the RSAT tools but being all Macs, that is going to be hard without a Windows VM. You might be able to try disabling UAC on the domain controller if you don't mind the security risk.
Domain users have access to read all AD objects by default, so they can open and view all objects via the ADUC console but can't make any changes until they are delegated control at the forest, domain or OU level.