Re: Domain Admin group in ISA 2006

From: guardian911@xxxxxxxxx
Date: 9 May 2007 10:58:40 -0700

Thanks. My question is:

Can Domain Admins be segregated from administering an ISA 2006 Server?

On May 9, 7:01 am, "Phillip Windell" <philwind...@xxxxxxxxxxx> wrote:

If you can't trust theDomainAdminsthen the war is already over and you lost.ISAwould be the last thing you have to worry about.
Don't give peopleDomainAdmin privledges if they can't be trusted at that
level,...there are *other* ways to delegate the abilities to do the work they
need.

--
Phillip Windellwww.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Paul" <guardian...@xxxxxxxxx> wrote in message

news:uge24350avqp16omk1trbokq64dkd4112r@xxxxxxxxxx

I keep reading that one of the downsides of havingISA2006 joined to the
domainis the fact that anydomainadmin can
compromise theISAarray configuration.

Isn't it easy enough to remove theDomainAdminssecurity group from the local
administrator group on theISAServer and
subsequently removeDomainAdminsfrom having theISAServer Full
Administrator role?

Unless there is some Group Policy in effect, theDomainAdminsshould not be
able to add themselves back, correct?- Hide quoted text -

- Show quoted text -

Follow-Ups:
- Re: Domain Admin group in ISA 2006
  - From: Phillip Windell

References:
- Domain Admin group in ISA 2006
  - From: Paul
- Re: Domain Admin group in ISA 2006
  - From: Phillip Windell

Prev by Date: Critical Errors In Security Log
Next by Date: Re: Domain Admin group in ISA 2006
Previous by thread: Re: Domain Admin group in ISA 2006
Next by thread: Re: Domain Admin group in ISA 2006
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain Admin .vs Adminstrator Account
... THE Administrator account is the initial or default ... > However, the domain admins group is automatically added to the local> administrators group on all domain members, which means that> the domain admins account has full administrative control over all domain> member machines. ... The administrator account on the other hand, isn't as> powerful in this way (just being an administrator of the domain doesn't mean> you can install software on domain members); the administrator account is> much more powerful, as Cary already stated, from a domain administrative> stand point. ...
(microsoft.public.win2000.active_directory)
Re: Roaming Profile problem
... Unless you're playing with Restricted groups policy or any other scripts, generally Domain Admins are members of local Administrators in all machines in the domain check that. ... I did log on as the domain administrator not the local admin. ... You're logged on with the account that refer to the profile to be copied. ... Logged on as test student ...
(microsoft.public.windows.server.active_directory)
Re: Domain Admin group in ISA 2006
... Phillip Windell ... Can Domain Admins be segregated from administering an ISA 2006 Server? ... subsequently removeDomainAdminsfrom having theISAServer Full ... Administrator role? ...
(microsoft.public.isaserver)
Re: Possible answer to domain problems
... that the DCPROMO process may change the policy so that only domain admins ... local administrator when running DCPROMO, so that if the Domain Admins group ... > install Office XP on it, so I started from scratch again. ...
(microsoft.public.win2000.security)
Re: full sharing between domain admins
... mentions a determined domain administrator ultimately has ways to gain ... themselves back in local administrators group for instance. ... > to the adminsitrative share of other domain admins, ... > by adding the other domain admin accounts to the "deny ...
(microsoft.public.win2000.security)