Re: How to block off Enterprise Admin in a different tree but same forest?
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 10/28/04
- Next message: Jerold Schulman: "Re: Update Now ..."
- Previous message: Jerold Schulman: "Re: Update AD users for CVS file"
- In reply to: Glenn L: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Next in thread: Ryan Hanisco: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Reply: Ryan Hanisco: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 28 Oct 2004 20:09:55 +0100
I've read about blocking EAs from child domains (in a book by authors whom I
completely trust) and they didn't mention any repercussions other than the
obvious -that the central IT people CANNOT administer this domain.
I can see this coming in handy; after all, multiple domains is bad enough -
multiple forests is worse. I would also take this route were I asked to do
so...
-- Paul Williams http://www.msresource.net http://forums.msresource.net ______________________________________ "Glenn L" <the.only(delete)@gmail.com> wrote in message news:uFqKLVZuEHA.1008@tk2msftngp13.phx.gbl... I suspect MS did not plan for and did not test child domain admins removing enterprise admins from access to a domain. This paper may not include all the reprocussions of this action. "Mary" <mary@yahoo.ca> wrote in message news:OEOFTzVuEHA.2000@TK2MSFTNGP14.phx.gbl... > But this paper shows it's possible > http://www.ins.com/downloads/whitepapers/ins_white_paper_w2kad_design_restrict_ent_admins_0300.pdf > > Mary > > "Glenn L" <the.only@gmail.com> wrote in message > news:%23UtKZ0NuEHA.2876@TK2MSFTNGP14.phx.gbl... >> >> This can really break the ability to accomplish forest wide maintenance. >> Consider a seperate forest if you want autonomy. >> >> -- >> Glenn L >> CCNA, MCSE 2000, MCSE 2003 + Security >> >> >> "Herb Martin" <news@LearnQuick.com> wrote in message >> news:OVO1VXLuEHA.2824@TK2MSFTNGP12.phx.gbl... >>> You aren't really supposed to do that -- if you cannot trust the >>> Enterprise Admins you need new Enterprise Admins. >>> >>> -- >>> Herb Martin >>> >>> >>> "Mary" <mary@yahoo.ca> wrote in message >>> news:uzvo6QJuEHA.2800@tk2msftngp13.phx.gbl... >>> > I have seen a published paper from lucent regarding blocking off >>> Enterprise >>> > Admin from accessing your domain within a forest. But somehow, the Ent >>> Admin >>> > keeps populates back in the Administrators security page after a ADC >>> > connector has been established. >>> > >>> > Any idea? >>> > >>> > thx >>> > Mary >>> > >>> > >>> >>> >> >> > >
- Next message: Jerold Schulman: "Re: Update Now ..."
- Previous message: Jerold Schulman: "Re: Update AD users for CVS file"
- In reply to: Glenn L: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Next in thread: Ryan Hanisco: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Reply: Ryan Hanisco: "Re: How to block off Enterprise Admin in a different tree but same forest?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
