Re: Security on single forest domain design

Here is where I mention Restricted Groups and here is where Paul mentions
startup script....

And let's not forget our friend 'cusrmgr'. I *think* that KJ would mention
this....

The problem with Restricted Groups is that there is one of two behaviors
(but not really a choice). The default behavior is to flush and add the
group that you determine. There is a fix for this that needs to be applied
to each and every system. Then the behavior is that it will simply add to
whatever is already there. This will prevent anyone else from being added
that your 'local focus group' (read: local Administrators group on each PC).

The problem with the startup script is that it does not prevent other
users/groups from being added to your 'local focus group'.

So, whatever works better for you is the solution that you should choose.

HTH,

--
Cary W. Shultz
Roanoke, VA 24012

"agcastle2000" <agcastle2000@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:93E4C4B8-B50F-4062-9AA5-18692CDE3441@xxxxxxxxxxxxxxxx
Hi Paul,

I thought you're based in the US.

I agree on what you said.. sometimes security is impractical.

The thing is that for the other Admins not be able to mess with the AD
structure, it looks like the only choice is to remove their memberships
from
Enterprise Admins, Domain Admins and Schema Admins. Right?

It is worth mentioning that as the Domain Admins is automatically added to
the local group Administrators on each member workstations or servers, by
removing the other Windows Adminstrators from Domain Admins would also
remove
their ability to administer to these machines. grrh. This is the dark side
of
it.

This leads me to ask whether it is possible in GP to populate the local
group Administrators with users.


Regards,
Archie

It's not so early over here in the UK... ;-)

But it is a Saturday, so half of your comment is correct <g>

Sorry I couldn't be more help. But this really does depend on so many
factors, that it is something that you have to plan and design yourself.
You can get advice from people here and whitepapers, etc. but at the end
of
the day, sometimes security is impractical. And other times it's
practical,
if you have understanding management who are willing to pay lots of money
for no perceived benefit whatsoever...



.

Relevant Pages

  • Re: script to list users and groups in domain admin and local admi
    ... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
    (microsoft.public.win2000.security)
  • Re: Restricted Groups Problem
    ... Just create a restricted group for administrators and assign Domain Admins ... I have since deleted the restricted groups setting in the ... > group on all XP machines as quickly as possible? ...
    (microsoft.public.win2000.group_policy)
  • Re: Restricted Groups Problem
    ... I believe the easiest way would be to re-enable the restricted groups ... setting, adding in domain admins. ... I added administrator and a BackupExec service account to both ... > group on all XP machines as quickly as possible? ...
    (microsoft.public.win2000.group_policy)
  • Re: Avoid Dom Admin to remove Enterprise admin
    ... That's not a solution since the domain admins in the child domain will ... be able to modify the GPO that contains the Restricted Groups policy. ... A fine is a tax for doing wrong. ...
    (microsoft.public.win2000.security)