Re: Domain Admins rights....
- From: "Clayton" <Clayton@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 2 Jun 2005 06:25:21 -0700
Paul
Can you provide a scenario that would support their proposal....
In other words, I have total rights as a Domain Admin which means I can
install software, manage servers, client PC's the whole nine yards.
In short can you layout a permissions/group/? that will allow this to be
unchanged?
I have tried this in the Delegation Wizard...with no luck.
Also understand I have around 300 pc's that if any interaction is needed to
add a domain group to the local admins groups on the PC's would take some
time without the use of scripts.
Thanks
--
Clayton Baker
Systems Support Admin
Teleflex Aerospace Ohio
"Paul Williams [MVP]" wrote:
> > Do you have reference to any documentation on this subject?
>
> Not really. It's not that well documented as it's a security hole ;-) I'm
> sure Google will come up with something though...
>
>
> > By "DC's" I am assuming your are referencing the Forest level DC's? Not
> > the Child Level?
>
> Doesn't matter really. Domain admins on any DC in the forest can edit all
> partitions if you think about it. And lesser privileged [protected] groups
> can also easily elevate themselves or make necessary changes that will allow
> the same end result.
>
>
> > I manage a 2000+ object AD domain with 5 total DC's soon to become 9. Our
> > corporate office (who is new to Active Directory) wants to propose that
> > all objects in all domains be migrated to their domain, ditching (so to
> > speak) all other domains and placing all objects in OU's......located on
> > their DC's instead of creating Forests and Children domains.....
> One fear they have in sense of control is Domain Admins and their ability to
> raise their permissions level in light of becoming Enterprise Admins. I am
> trying to head this action off since I feel there are several holes in their
> way of thinking they are not seeing in light of security....one being all
> users on all PC's become local PC admins....do you see the dark cloud
> already....
>
> I would have to agree with your corporate office. A domain is NOT a
> security boundary - the forest is. The empty root, or even child domains to
> segregate and secure resources will not work if your admins know what they
> are doing, or don't -and are prepared to fiddle without understanding the
> consequences. If you require certain administrative functions, a better way
> of doing this is to have a single-domain forest with users segregated into
> OUs and permissions delegated to users and/ or groups in these OUs.
>
> You should have as few domain admins as possible and nobody should be
> full-time members of EA and SA. Everything (bar one or two exceptions) can
> be delegated.
>
> Local administrators aren't a problem, as they only have glorified
> permissions over their own PCs and not over the domain.
>
>
> > BTW I just received your email reply...thanks
>
> No problem!!
>
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>
.
- Follow-Ups:
- Re: Domain Admins rights....
- From: Paul Williams [MVP]
- Re: Domain Admins rights....
- References:
- Domain Admins rights....
- From: Clayton
- Re: Domain Admins rights....
- From: Paul Williams [MVP]
- Re: Domain Admins rights....
- From: Clayton
- Re: Domain Admins rights....
- From: Paul Williams [MVP]
- Domain Admins rights....
- Prev by Date: Re: Domain Admins rights....
- Next by Date: AD/NDS synchronization
- Previous by thread: Re: Domain Admins rights....
- Next by thread: Re: Domain Admins rights....
- Index(es):
Relevant Pages
|
