Re: Need to filter domain admin from GPO

I'm with Meiolf Weber on this one.

It's best practice to use a 2nd administrator account as your regular user
anyway and leave the original admin account redudnant only to be used as a
fall-back. (According to the MS AD infrastrucute course your actually
supposed to rename the original administrator for security purposes, maybe a
bit of overkill but that's for a different debate!)

Sorry for digressing, yes I agree with creating a new user account (eg
admin-clarv02) that is a member of the Enterprise Admins or Domain Admins
group and pop it in a new OU with blocked inheritance. :-)


"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6672bb38ca08a2707d6643@xxxxxxxxxxxxxxxxxxxxxxx
Hello clarv02,

For the real domain administrator i would recommend:

- Rename the account
- Set a strong long password
- lock this password on safe place
- DO NOTHING ELSE WITH IT

CREATE a new account that is member of the domain admins group and move it
to a new created OU e.g. ADMINISTRATORS and block the policy here.


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

I have a GPO that is at the domain level and I want to exclude the
domain admin. It seems like the only options are:

* Security filtering (doesn't seem like the best idea)
* WMI filtering (can't seem to find any posts on how to make it filter
user objects)
* Block inheritance (I would have to move the domain admin from Users
to an OU)
I'm leaning toward the last solution. But I'm concerned about moving
the domain admin account. The Users container is different from other
containers. I guess it's a system container. It doesn't show up like
the other OUs in GPMC. And even if I could block inheritance to that
container, I don't want to exclude other users that may be in the
Ussers container.

Is there any downside to moving the domain admin account to a
different container?

Or does anyone know of a successful WMI filter that I could use? (I do
like this option but it seems like no one has been able to make it
work).

Thanks!





.

Relevant Pages

  • Re: Keep admins off of client machines
    ... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP (SP2) user passwords
    ... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
    (microsoft.public.windows.mediacenter)
  • Re: Could this be an XP problem?
    ... >> This means you have admin access under jlunis login. ... This is one way to get in as admin in XP home. ... >> tab) then type in administrator as username and blank password. ... administrator account. ...
    (microsoft.public.windowsxp.general)
  • Re: Finding a Hacker
    ... compromising the loca or domain admin acocunts, or by elevation, ... to get local admin rights on the machine used by the domain admin, ... If the hacker did get in remotely using an administrator account on ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
Quantcast