Re: Unable to prevent OU deletion by Domain Admins?

From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 11/01/04 

Date: Tue, 2 Nov 2004 09:12:44 +1100

Hi Josh

It's better practice to give rights to a group of users rather than take
them away from Domain Admins. You should never alter the rights of a
builtin group or user. You're better off creating a group for the purpose
of administering OU's, delegating permissions to this group and keeping your
Domain Admins group to a very select few that can be trusted.

Kind regards 

-- 
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email 
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Josh" <joshuabrown@gmail.com> wrote in message 
news:e7d88c81.0411011409.c1d654b@posting.google.com...
>I am trying (unsuccessfully) to prevent accidental deletion of several
> OUs by our domain admins.  For testing purposes, I have done this:
>
> 1) Create new OU, removed inheritance of permissions.
> 2) Removed all groups from the permissions
> 3) Added Domain Admins with Full Control
> 4) Explicity set Deny rights for Domain Admins for Delete, Delete
> Subtree, and Delete Organizational Object.
>
> Create new user, add user to Domain Admins.  Log in with user, and the
> OU can be deleted without warning.
>
> The only way I have gotten this to work is by creating a user in the
> OU that I want to protect, and setting Deny All rights for the Domain
> Admins group on that user.  That prevents Domain Admins from deleting
> the parent OU, but it is a pretty bad solution...and it doesn't
> explain why the Domain Admins can delete the OU when all relevant
> deletion ACLs are set to Deny.
>
> Any thoughts?

Relevant Pages

  • Re: Unable to prevent OU deletion by Domain Admins?
    ... That's how ACLs work, or at ... Microsoft's own guidelines for parsing ACLs states that DENY ACLs ... I understand that domain admins have the delete and delete subtree ... I have a folder where Domain Users have Full control rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... it isn't a simple case of Deny overrides Grant. ... Administrators/Domain Admins are granted explicit rights all over the directory. ... Second, on a DC, anyone with admin level rights can do pretty much anything they want. ... Domain Admins privledges, same if you Deny them access. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... Trusting our domain admins doesn't prevent them ... properly deny deletion rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Prevent changes to Administrator password
    ... To add to what I already said: *ANY* member of a Domain Admins group *MUST* be trusted in what he does with his account. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Log on Locally
    ... even if I do not have the rights to log on locally, ... > Logon to the machine as a standard user and use the runas command. ... > snapin to reset the policy. ... I didn't check very well and I add Domain admins to ...
    (microsoft.public.win2000.security)
Loading