Re: isolating a subdomain in AD

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I understand that...

what I wanted to say was that no matter if you deny someone with
domain/enterprise admin rights permissions to some domain that same admin
will still be able to do whatever he/she wants!
If he really needs isolation then he should have an additional forest for
that data

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"chriss3 [MVP]" <removethis_christoffer@xxxxxxxx> wrote in message
news:u9MjsYgEGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
> Yes that is what the article is about, but his question in particular was
> to deny the enterprise admin to have any rights within a child domain ;)
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Resources
>
> "Jorge de Almeida Pinto"
> <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
> news:ONfdxmeEGHA.272@xxxxxxxxxxxxxxxxxxxxxxx
>> EVERY domain admin in the forest can take over control, not just the
>> enterprise admins
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto #
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "chriss3 [MVP]" <removethis_christoffer@xxxxxxxx> wrote in message
>> news:eK9yFHZEGHA.1120@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hello,
>>> Dave is right!
>>>
>>> Here is a few words that explains way it's not secure.
>>>
>>> Can a Domain Admin become a Enterprise Admin within a Forest
>>> http://www.chrisse.se/MAQB.asp?ID=51
>>> (Enterprise Admins are owners within the forest and can always take
>>> ownership)
>>>
>>> If you want to look at real isolation have a look at the Multiple Forest
>>> Consideration white paper:
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en
>>>
>>> --
>>> Regards
>>> Christoffer Andersson
>>> Microsoft MVP - Directory Services
>>>
>>>
>>> No email replies please - reply in the newsgroup
>>> ------------------------------------------------
>>> http://www.chrisse.se - Active Directory Resources
>>>
>>> "Dave Shaw [MVP]" <dhshaw@xxxxxxx> wrote in message
>>> news:%23mvJWsYEGHA.648@xxxxxxxxxxxxxxxxxxxxxxx
>>>>I hate to tell you this, but there is no effective means to isolate a
>>>>single domain within a forest from the Enterprise Admins. They have
>>>>complete control over the forest.
>>>>
>>>> Here is the very best paper ever written on the subject -
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx
>>>>
>>>>
>>>> -ds
>>>>
>>>>
>>>> "John Czahor" <John Czahor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:33DBA94F-CB41-4804-A793-7B935657902F@xxxxxxxxxxxxxxxx
>>>>>I have been asked to compleatly isolate a subdomain in AD. The Data is
>>>>>very
>>>>> sensitive and cannot be view by anyone includingthe enterprise
>>>>> admins. There
>>>>> will be only one admin to administritor to this sub domain (me). How
>>>>> do I do
>>>>> this? these users will still need to access thing within the forest.
>>>>> Please
>>>>> let me know.
>>>>>
>>>>> John
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Delegate certain rights to a single Domain Controller
    ... There are certain things like ACLs on the local machine that could be handled that way but generally once you get to rights and privileges you are stuck. ... If you trusted this individual, there wouldn't have been a posting at all, you just would have given Admin rights. ... If a single rogue DA gets pissed and blows up your forest prior as they learn they are terminated, whose ass goes up in front of the execs? ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: isolating a subdomain in AD
    ... of the forest root domain, then logon to that domain and give your self Ent ... "Jorge de Almeida Pinto" ... > domain/enterprise admin rights permissions to some domain that same admin ...
    (microsoft.public.windows.server.active_directory)
  • Mapping to W2003 user rights/access?
    ... was required to have a lot of people with domain admin ... when it comes to access/user rights. ... Hopefully not domain admin... ... What access can be used for accounts used to do ...
    (microsoft.public.windows.server.migration)
  • RE: software to control domain administrators
    ... these so-called controls on the admin. ... what would you do when you need that level of control. ... admin changed the domain admin password when he or she found out that they ... software to control domain administrators ...
    (Security-Basics)
  • Re: Finding a Hacker
    ... compromising the loca or domain admin acocunts, or by elevation, ... to get local admin rights on the machine used by the domain admin, ... If the hacker did get in remotely using an administrator account on ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)