Re: Denying Changes to Group Membership

<carlrimmel@xxxxxxxxx> wrote in message
news:1145650882.088728.34570@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Got an interesting problem. We are running Windows 2003 SP1 active
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)

Perhaps your best bet is to just make a "Restricted Group"
which will FIX the group membership to the list you
provide.

While technically the group will be changeable, any change
will be restored at each GPO update which is every 5 (or
15 minutes) for DCs

You can of course go in an put "DENY Modify" permissions
on the group just like you would with a file (use either the
Everyone group or admins.

BTW, I don't care how special that software is, it is a
complete piece of junk if it must be a domain admin MUCH
LESS if it makes unauthorized changes to your AD.

Find a replacement and junk that piece of $%Q$% Junk.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Regardless, here is what I have found. If I add a Deny to the
Administrators group for "Write Members" and "Apply Onto" "This Object
Only", then it works fine. But, since the AdminSDHolder reverts it
back every hour, I need to make the change on the AdminSDHolder. So, I
try to add a Deny on the AdminSDHolder for "Write Members" and "Apply
onto" "Group Objects" (because "This Object Only" doesn't list "Write
Members" on the AdminSDHolder object) then it doesn't work. Applying
it directly to the Administrators group using "Group Objects" doesn't
work either.

Is the Built-In Administrator group referred to as something other than
a "Group Object" within AD? This is the only reason I can see that
this would not work properly.

Any help would be appreciated.

Thanks
Carl



.

Relevant Pages

  • Re: Denying Changes to Group Membership
    ... Built-In Administrators group that would deny the ability for a member ... I need to make the change on the AdminSDHolder. ...
    (microsoft.public.win2000.active_directory)
  • Denying Changes to Group Membership
    ... Built-In Administrators group that would deny the ability for a member ... I need to make the change on the AdminSDHolder. ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain user gets only a temporary profile
    ... Since it works when the user is a member of the administrators group it ... Verify that users have read/list/execute permissions to the ... he gets only a temporary profile which is then deleted upon logging off. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [XPSP2/admin] "Access denied" when running network utilities?
    ... On a up-to-date test host running XPSP2, logged on as admin, I get ... determine what the permissions on these utilities are. ... the administrators group can always perform this task. ... A member can always do this. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: EPM Permission
    ... Deny trumps all, Allow trumps Not ... Keep in mind that permissions are cumulative. ... member of one group but allowed as a member of another. ...
    (microsoft.public.project.pro_and_server)