Re: Domain Admins rights....
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Thu, 2 Jun 2005 14:10:16 +0100
> Do you have reference to any documentation on this subject?
Not really. It's not that well documented as it's a security hole ;-) I'm
sure Google will come up with something though...
> By "DC's" I am assuming your are referencing the Forest level DC's? Not
> the Child Level?
Doesn't matter really. Domain admins on any DC in the forest can edit all
partitions if you think about it. And lesser privileged [protected] groups
can also easily elevate themselves or make necessary changes that will allow
the same end result.
> I manage a 2000+ object AD domain with 5 total DC's soon to become 9. Our
> corporate office (who is new to Active Directory) wants to propose that
> all objects in all domains be migrated to their domain, ditching (so to
> speak) all other domains and placing all objects in OU's......located on
> their DC's instead of creating Forests and Children domains.....
One fear they have in sense of control is Domain Admins and their ability to
raise their permissions level in light of becoming Enterprise Admins. I am
trying to head this action off since I feel there are several holes in their
way of thinking they are not seeing in light of security....one being all
users on all PC's become local PC admins....do you see the dark cloud
I would have to agree with your corporate office. A domain is NOT a
security boundary - the forest is. The empty root, or even child domains to
segregate and secure resources will not work if your admins know what they
are doing, or don't -and are prepared to fiddle without understanding the
consequences. If you require certain administrative functions, a better way
of doing this is to have a single-domain forest with users segregated into
OUs and permissions delegated to users and/ or groups in these OUs.
You should have as few domain admins as possible and nobody should be
full-time members of EA and SA. Everything (bar one or two exceptions) can
Local administrators aren't a problem, as they only have glorified
permissions over their own PCs and not over the domain.
> BTW I just received your email reply...thanks
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net