Re: Domain Admins rights....

> Do you have reference to any documentation on this subject?

Not really. It's not that well documented as it's a security hole ;-) I'm
sure Google will come up with something though...

> By "DC's" I am assuming your are referencing the Forest level DC's? Not
> the Child Level?

Doesn't matter really. Domain admins on any DC in the forest can edit all
partitions if you think about it. And lesser privileged [protected] groups
can also easily elevate themselves or make necessary changes that will allow
the same end result.

> I manage a 2000+ object AD domain with 5 total DC's soon to become 9. Our
> corporate office (who is new to Active Directory) wants to propose that
> all objects in all domains be migrated to their domain, ditching (so to
> speak) all other domains and placing all objects in OU's......located on
> their DC's instead of creating Forests and Children domains.....
One fear they have in sense of control is Domain Admins and their ability to
raise their permissions level in light of becoming Enterprise Admins. I am
trying to head this action off since I feel there are several holes in their
way of thinking they are not seeing in light of being all
users on all PC's become local PC you see the dark cloud

I would have to agree with your corporate office. A domain is NOT a
security boundary - the forest is. The empty root, or even child domains to
segregate and secure resources will not work if your admins know what they
are doing, or don't -and are prepared to fiddle without understanding the
consequences. If you require certain administrative functions, a better way
of doing this is to have a single-domain forest with users segregated into
OUs and permissions delegated to users and/ or groups in these OUs.

You should have as few domain admins as possible and nobody should be
full-time members of EA and SA. Everything (bar one or two exceptions) can
be delegated.

Local administrators aren't a problem, as they only have glorified
permissions over their own PCs and not over the domain.

> BTW I just received your email reply...thanks

No problem!!

Paul Williams
Microsoft MVP - Windows Server - Directory Services |


Relevant Pages

  • RE: Active Directory network security
    ... >Subject: RE: Active Directory network security ... >X-Mailer: Microsoft Outlook, Build 10.0.2627 ... In fact the only true security boundary in AD is a forest. ... >Domain Admins must be fully trusted. ...
  • Re: delegate privileges in another domain in another forest
    ... This is a forest trust so ... domain group and making the members of the other forest members of this ... make it member of Domain Admins of the domain that ... you want to administrate, then make the "others" Domain Admins members of ...
  • Re: Role based permissions
    ... You may want to look at the Active Directory Delegation whitepaper. ... The DAs should be a single group for the entire forest who are responsible for the core functioning of the entire forest - i.e. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Our sys admins have been assigning way too many people the Domain Admins group and we need to create a more sane subset of role based administrative groups. ...
  • Re: Move mailboxes and Public Folders Across Organizations?
    ... I will review the suplied ... documentation this weekend! ... domain forest across the group. ... As part of this move we've been told to roll out a group wide Exchange ...
  • Re: How to prevent changes from root of forest
    ... The root domain contains the Enterprise ... Admins group and while you could remove this group from your Domain Admins ... The Active Directory structure relies on all domain admins in every ... > I recently joined a forest as a domain tree, ...