Re: Administrator, Administrators & Domain Admins
- From: Jorge_de_Almeida_Pinto <UseLinkToEmail@xxxxxxxxxxxxxxxxx>
- Date: 28 Jun 2005 01:36:51 -0400
"" wrote:
> Can someone give me a brief explanation of the difference
> between the above
> three items, relating to the following problem.
>
> I want to secure access to all user directories on the server,
> where I have
> granted access to each user directory to both the domain
> admins group and the
> individual user.
>
> To set this up I took ownership of all directories and
> individual files as
> Administrator, which may have been an error looking at the
> problem I am left
> with.
>
> So now I'd like some help with the best way to make sure only
> one or two
> 'super users' can access all files, as all of the supprt team
> have either the
> administrator password, or are part of the domain admins
> group.
>
> Any help on redistributing the power would be appreciated!
administrator -> user account member of administrators, domain admins
and enterprise admins
administrators -> built-in local group, has full god mode permissions
on all DCs of the domain
domain admins -> global group member of adminstrators group for DCs
and member of administrators group on each member server
enterprise admins -> universal security group, member of
administrators group in each domani in the forest
These groups/user are very powerfull and there is NO WAY (besides
using encryption) you can exclude these groups/user from doing
anything. Even if you revoke permission they still have the right to
take ownership. It is better to delegate permissions to custom made
security groups
On home directories and/or profile directories I usually assign the
following permissions
ownership: administrators
perms:
administrators - full
system -full
<some delegated group> - modify or full when the need exists to change
permissions or ownership
<username> - modify
You can reassign ownership to administrators the same way as you took
it
My advise:
* Change the administrator password and only give it to one other
trusted individual!
* Cleanup memberships from the groups administrators, domain admins
and enterprise admins
* Delegate permissions to custom groups
* Create administrative accounts (separate accounts to do admin
work)(and I don?t mean to assign membership to the powerfull groups)
and place each admin account into the custom made group for the
permission the support person needs
Cheers,
Jorge
--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Administrator-Administrators-amp-Domain-Admins-ftopict550685.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1744382
.
- References:
- Prev by Date: Re: LSASS 1005 Randomly.
- Next by Date: RE: LSASS 1005 Randomly.
- Previous by thread: Re: Administrator, Administrators & Domain Admins
- Next by thread: Dcdiag failed test NCSecDesc
- Index(es):
Relevant Pages
|
