Re: isolating a subdomain in AD

From: "chriss3 [MVP]" <removethis_christoffer@xxxxxxxx>
Date: Thu, 5 Jan 2006 01:43:59 +0100

Hello,
Dave is right!

Here is a few words that explains way it's not secure.

Can a Domain Admin become a Enterprise Admin within a Forest
http://www.chrisse.se/MAQB.asp?ID=51
(Enterprise Admins are owners within the forest and can always take
ownership)

If you want to look at real isolation have a look at the Multiple Forest
Consideration white paper:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Dave Shaw [MVP]" <dhshaw@xxxxxxx> wrote in message
news:%23mvJWsYEGHA.648@xxxxxxxxxxxxxxxxxxxxxxx
>I hate to tell you this, but there is no effective means to isolate a
>single domain within a forest from the Enterprise Admins. They have
>complete control over the forest.
>
> Here is the very best paper ever written on the subject -
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx
>
>
> -ds
>
>
> "John Czahor" <John Czahor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:33DBA94F-CB41-4804-A793-7B935657902F@xxxxxxxxxxxxxxxx
>>I have been asked to compleatly isolate a subdomain in AD. The Data is
>>very
>> sensitive and cannot be view by anyone includingthe enterprise admins.
>> There
>> will be only one admin to administritor to this sub domain (me). How do I
>> do
>> this? these users will still need to access thing within the forest.
>> Please
>> let me know.
>>
>> John
>
>

.

Follow-Ups:
- Re: isolating a subdomain in AD
  - From: Jorge de Almeida Pinto

References:
- Re: isolating a subdomain in AD
  - From: Dave Shaw [MVP]

Prev by Date: Re: switched domain controler to a new site, need to remove AD entries from original site
Next by Date: Re: Printer Disapear and Strange Admin Objects
Previous by thread: Re: isolating a subdomain in AD
Next by thread: Re: isolating a subdomain in AD
Index(es):
- Date
- Thread

Relevant Pages

Re: isolating a subdomain in AD
... I hate to tell you this, but there is no effective means to isolate a single ... domain within a forest from the Enterprise Admins. ... > sensitive and cannot be view by anyone includingthe enterprise admins. ...
(microsoft.public.windows.server.active_directory)
Re: isolating a subdomain in AD
... EVERY domain admin in the forest can take over control, ... > (Enterprise Admins are owners within the forest and can always take ...
(microsoft.public.windows.server.active_directory)
Re: One domain admin for multiple domains
... If you're dealing with 2 separate forests, then you can create a trust ... The forest container is a security boundary in both 2000 and 2003 though, ... Membership in the Enterprise Admins group should be ...
(microsoft.public.win2000.security)
Re: Forest Trusts
... > it seems that Enterprise Admins, Domain Admins are protected some how ... > agenst out of domain / forest user accounts. ... I think its Domain Admin (domain level groups) limited, ... Microsoft Windows MVP - Windows Server - Directory Services Security Is Like An Onion, ...
(microsoft.public.windows.server.active_directory)
Re: How to block off Enterprise Admin in a different tree but same forest?
... I've read about blocking EAs from child domains (in a book by authors whom I ... completely trust) and they didn't mention any repercussions other than the ... >> This can really break the ability to accomplish forest wide maintenance. ... >>> Enterprise Admins you need new Enterprise Admins. ...
(microsoft.public.win2000.active_directory)