Re: Administrators Group in Local Users and Groups

That is what you know, others may know other things.

The fact that they can logon to domain controllers means they very likely have the ability to easily escalate their privileges to administrator, domain administrator, and probably enterprise admin and do everything you listed and more. No I will not explain how they can do it.

They also have the ability to modify nearly all groups in the domain directly so can give themselves all sorts of resource access that they probably shouldn't be able to give.

Finally, don't assume others can't do damage because you can't visualize a mechanism in how they could. Lots of security folks and domain admins have been burned pretty badly because they do. Either because someone gets pissed off and screws them over or management brings in an outside resource to look for holes and they show how easily someone can walk through was done making the current people look like idiots.

The absolute security rule to follow at all times is to give only the least amount of rights necessary for someone to do their job.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Spin wrote:
Yeah but they cannot modify domain admin accounts, bring up new domain controllers, modify the schema or configuration (like enabling a GC, modifying anything in Sites and Services, activating a DHCP server, etc..) so I'm fine with that reduced level of access.

.

Relevant Pages