Re: Need to filter domain admin from GPO

On Dec 10, 10:55 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello clarv02,

Normally Block inheritance works fine. What GPO setting do you like to filter?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.dts-l.org/goodpost.htm



On Dec 9, 11:59 am, "Matt" <mattd_em...@xxxxxxxxxxx> wrote:

I'm with Meiolf Weber on this one.

It's best practice to use a 2nd administrator account as your regular
user anyway and leave the original admin account redudnant only to be
used as a fall-back. (According to the MS AD infrastrucute course
your actually supposed to rename the original administrator for
security purposes, maybe a bit of overkill but that's for a different
debate!)

Sorry for digressing, yes I agree with creating a new user account
(eg admin-clarv02) that is a member of the Enterprise Admins or
Domain Admins group and pop it in a new OU with blocked inheritance.
:-)

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb6672bb38ca08a2707d6643@xxxxxxxxxxxxxxxxxxxxxxx

Hello clarv02,

For the real domain administrator i would recommend:

- Rename the account
- Set a strong long password
- lock this password on safe place
- DO NOTHING ELSE WITH IT
CREATE a new account that is member of the domain admins group and
move it to a new created OU e.g. ADMINISTRATORS and block the policy
here.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.dts-l.org/goodpost.htm
I have a GPO that is at the domain level and I want to exclude the
domain admin. It seems like the only options are:

* Security filtering (doesn't seem like the best idea)
* WMI filtering (can't seem to find any posts on how to make it
filter
user objects)
* Block inheritance (I would have to move the domain admin from
Users
to an OU)
I'm leaning toward the last solution. But I'm concerned about
moving
the domain admin account. The Users container is different from
other
containers. I guess it's a system container. It doesn't show up
like
the other OUs in GPMC. And even if I could block inheritance to
that
container, I don't want to exclude other users that may be in the
Ussers container.
Is there any downside to moving the domain admin account to a
different container?

Or does anyone know of a successful WMI filter that I could use? (I
do like this option but it seems like no one has been able to make
it work).

Thanks!- Hide quoted text -

- Show quoted text -

Thanks for the posts. I really should have thought of having a
separate account for this. We have already renamed the administrator
account with strong password. However, we do use it on a regular basis
for admin tasks. That will change soon. I went ahead and created a
special admin account for me to use and filtered the particular GPO
using ACL deny. I couldn't seem to figure out how to block a single
GPO at an OU level. Seems like I can block inheritance, but not from a
specific GPO.

Anyway, thanks for the suggestions.- Hide quoted text -

- Show quoted text -

I have a GPO that specifies the IE Home Page. My understanding is that
you can block inheritance, but it will apply to all GPOs above, unless
they are enforced. Since I want to prevent a single GPO from applying
to a group of people, I found it easiest to deny the read permission
for that group.

Thanks,
.

Relevant Pages

  • Re: Need to filter domain admin from GPO
    ... Normally Block inheritance works fine. ... What GPO setting do you like to filter? ... It's best practice to use a 2nd administrator account as your regular ... Block inheritance (I would have to move the domain admin from ...
    (microsoft.public.windows.group_policy)
  • Re: GP settings questions?
    ... Policy, and you want these GP only affect on specific OU object. ... SBSServers OU only contains the SBS Server and the other member Servers. ... locations are linked to this GPO, ... To Block Inheritance, for example, right-click the SBSComputers OU, ...
    (microsoft.public.windows.server.sbs)
  • Re: Odd GPO Link behavior
    ... I wanted my GPO (for my login - which is domain admin) to have windows firewall disabled, for mission ciritcal applications, such as Battlefield 2142 and Call of Duty 2. ... Called it SBSAdmin, threw my user account in there, blocked inheritance on all items, and created a new GPO link with firewall disabled. ... Unless you have configured firewall settings at domain level, I'd leave the "block inheritance" settings alone. ...
    (microsoft.public.windows.group_policy)
  • Re: Security Filtering does not work correctly in GPO
    ... Did you removed the Authenticated Users from apply GPO ... Systems Administrator ... "Scope-Setting" in the Group Policy object. ... The domain admin shouln't receive this settings. ...
    (microsoft.public.windows.server.active_directory)
  • Re: restricted groups have broken Admin access....help!
    ... member server' bit and just added my choosen users to the 'administrator' ... Then the Domain Admin access was lost. ... I then tried deleting the GPO and redoing the restricted group as per ... I eventually gave up and deleted all traces of the groups and GPO, ...
    (microsoft.public.win2000.group_policy)
Loading