Re: What is easier: to delegate or to use ACLs?

• Previous message: Paul Bergson: "Re: User created in Active Directory but not shown up in Exchange"
• In reply to: Joe Richards [MVP]: "Re: What is easier: to delegate or to use ACLs?"
• Next in thread: Gera: "Re: What is easier: to delegate or to use ACLs?"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 12 Jan 2005 23:37:54 +0200

That's very interesting. Could you outline how it is possible?
Is this legal and documented way or some type of vulnerability ?
What tools should be used?

G.

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OywLZ7M%23EHA.3260@TK2MSFTNGP14.phx.gbl...
> > But domain admins of one child domain cannot manage resources in another
> > child domain or in the root domain.
> > Maybe it is some type of security boundary?
>
> This is incorrect. An Admin of any domain controller can escalate their
> permissions to modify any domain in the forest. Up to and including
> removing you from Enterprise Admins and inserting themselves. This is a
> core AD design piece, there is no way to really get around it 100%.
>
> joe
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Gera wrote:
>> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
>> news:em$UFmC%23EHA.2180@TK2MSFTNGP12.phx.gbl...
>>
>>>First question: Who controls the forest? Those are the people who should
>>
>> get
>>
>>>domain admin rights and ability to log on domain controllers. No one
>>>else.
>>
>> The forest control fully trusted top-level admins.
>> But administration of a local (regional) domains is done by local admin,
>> which are members of child domain admin group.
>>
>>
>>>The people you are deciding whether they should have OU delegated
>>
>> permissions or
>>
>>>a child domain, do you mind if they control your entire forest?
>>
>> If I understand you correctly, it is not preffered. They should control
>> only
>> their own regional domain.
>>
>>
>>>Domains are not a security boundary, they are a policy boundary. If the
>>
>> intent
>>
>>>is to limit what people can manage, you only have the choice of separate
>>
>> forests or delegated rights.
>> But domain admins of one child domain cannot manage resources in another
>> child domain or in the root domain.
>> Maybe it is some type of security boundary?
>>
>> Today I realized, that my phrase "top level admin from root domain
>> restricts
>> some access
>> to local admins in child domains using ACLs on objects" is more than
>> questionable.
>> It seems that it is impossible, mostly because child domain admin always
>> can
>> take ownership on any object.
>>
>> ----
>> Gera
>>
>>
>>
>>
>>>Gera wrote:
>>>
>>>>Design choice - to use one root domain and three child domains or to use
>>>>single domain and delegate some admin rights on OUs, all Windows 2003.
>>>>
>>>>>From your experience or simply opinion - what is easier and more safe:
>>>>1. to manage ACL on resources (root + child domains; top level admin
>>
>> from
>>
>>>>root domain restricts some access to local admins in child domains using
>>
>> ACLs
>>
>>>>on objects)
>>>>2. to manage a delegation on OUs (single domain with OUs which contain
>>>>regional domain's resources; root admin delegates needed rights through
>>>>Delegation Wizard)
>>>>
>>>>I am interested from the point of users and resources adminstration, PC
>>
>> and
>>
>>>>servers accounts managing,
>>>>and all other imaginable administrative activity. What couldn't be done
>>
>> in
>>
>>>>the first or second scenario?
>>>>The concern... is it really possible to delegate absolutely any admin.
>>
>> need
>>
>>>>using OU and Delegation Wizard?
>>>>
>>>>
>>>>Thanks a lot,
>>>>G.
>>
>>

• Previous message: Paul Bergson: "Re: User created in Active Directory but not shown up in Exchange"
• In reply to: Joe Richards [MVP]: "Re: What is easier: to delegate or to use ACLs?"
• Next in thread: Gera: "Re: What is easier: to delegate or to use ACLs?"
• Messages sorted by: [ date ] [ thread ]