Re: isolating a subdomain in AD

EVERY domain admin in the forest can take over control, not just the
enterprise admins

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"chriss3 [MVP]" <removethis_christoffer@xxxxxxxx> wrote in message
news:eK9yFHZEGHA.1120@xxxxxxxxxxxxxxxxxxxxxxx
> Hello,
> Dave is right!
>
> Here is a few words that explains way it's not secure.
>
> Can a Domain Admin become a Enterprise Admin within a Forest
> http://www.chrisse.se/MAQB.asp?ID=51
> (Enterprise Admins are owners within the forest and can always take
> ownership)
>
> If you want to look at real isolation have a look at the Multiple Forest
> Consideration white paper:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Resources
>
> "Dave Shaw [MVP]" <dhshaw@xxxxxxx> wrote in message
> news:%23mvJWsYEGHA.648@xxxxxxxxxxxxxxxxxxxxxxx
>>I hate to tell you this, but there is no effective means to isolate a
>>single domain within a forest from the Enterprise Admins. They have
>>complete control over the forest.
>>
>> Here is the very best paper ever written on the subject -
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx
>>
>>
>> -ds
>>
>>
>> "John Czahor" <John Czahor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:33DBA94F-CB41-4804-A793-7B935657902F@xxxxxxxxxxxxxxxx
>>>I have been asked to compleatly isolate a subdomain in AD. The Data is
>>>very
>>> sensitive and cannot be view by anyone includingthe enterprise admins.
>>> There
>>> will be only one admin to administritor to this sub domain (me). How do
>>> I do
>>> this? these users will still need to access thing within the forest.
>>> Please
>>> let me know.
>>>
>>> John
>>
>>
>
>


.

Relevant Pages

  • Re: isolating a subdomain in AD
    ... Can a Domain Admin become a Enterprise Admin within a Forest ... http://www.chrisse.se - Active Directory Resources ... >single domain within a forest from the Enterprise Admins. ... >>I have been asked to compleatly isolate a subdomain in AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: One domain admin for multiple domains
    ... If you're dealing with 2 separate forests, then you can create a trust ... The forest container is a security boundary in both 2000 and 2003 though, ... Membership in the Enterprise Admins group should be ...
    (microsoft.public.win2000.security)
  • Re: Forest Trusts
    ... > it seems that Enterprise Admins, Domain Admins are protected some how ... > agenst out of domain / forest user accounts. ... I think its Domain Admin (domain level groups) limited, ... Microsoft Windows MVP - Windows Server - Directory Services Security Is Like An Onion, ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to block off Enterprise Admin in a different tree but same forest?
    ... I've read about blocking EAs from child domains (in a book by authors whom I ... completely trust) and they didn't mention any repercussions other than the ... >> This can really break the ability to accomplish forest wide maintenance. ... >>> Enterprise Admins you need new Enterprise Admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Groups: How do you configure "God" people?
    ... The domain admins have full control over the domain. ... If you have multiple domains in a forest, the enterprise admins will have full control over all ...
    (microsoft.public.windows.server.security)
Loading