Re: Restricting "Enterprise Admins" sec group
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/03/04
- Next message: Joe Richards [MVP]: "Re: Restricting "Enterprise Admins" sec group"
- Previous message: ibnu: "Re: Find/locate AD Objects based on their "created/modified dates""
- In reply to: Jim Singh: "Restricting "Enterprise Admins" sec group"
- Next in thread: Jim Singh: "Re: Restricting "Enterprise Admins" sec group"
- Reply: Jim Singh: "Re: Restricting "Enterprise Admins" sec group"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 02 Jul 2004 21:42:00 -0400
I will make it very simple.
It is impossible with the current design of active directory to effectively
block Enterprise Admins from any part of the forest. There are too many ways
they can get around anything you set up. Do not think about doing it because it
would simply give you a sense of false security.
If you do not trust your Enterprise Admins, fire them or set up your own forest.
That is the only realistic secure options.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Jim Singh wrote: > Hi - > does anyone knows of possible implications of restricting/blocking the > "Enterprise Admins" security group permissions from child level domain > besides the DHCP pool auth, child domain creation, ADC etc? > > does blocking "EA" group from child domain has any impact on replication ? > and are there any other serious implications ? i.e. attribute/class > dependencies etc? > thanks! > >
- Next message: Joe Richards [MVP]: "Re: Restricting "Enterprise Admins" sec group"
- Previous message: ibnu: "Re: Find/locate AD Objects based on their "created/modified dates""
- In reply to: Jim Singh: "Restricting "Enterprise Admins" sec group"
- Next in thread: Jim Singh: "Re: Restricting "Enterprise Admins" sec group"
- Reply: Jim Singh: "Re: Restricting "Enterprise Admins" sec group"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
