Re: Settle a Administrator's dispute

It takes much less than administrator on a child DC to escalate all the way to Enterprise Admin of an entire multidomain forest. There is a reason the domain isn't considered a security boundary.

As for the specifics of how, not going to share it as there is nothing no one can do to really prevent it. It isn't all that hard to work out the steps when you think enough about it though.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jorge Silva wrote:
It is moot, if a user is in Administrators or Domain Admins they can
give themselves as much rights as they want in the forest.

What do you mean? That a member of bulin/administrators can't add himself to Enterprise and Domain Admins in the Root?
If yes... I'm sorry but the last time that I tested this it worked... Of course I'm talking about Root domain and not Child domain, in child they can add himselfs to the Domain Admins.

.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise Admins Rights
    ... Enterprise Admins become members of each ... administer AD and the domain controllers in the child domains. ... added to the Administrators group on member servers and workstations in the ...
    (microsoft.public.win2000.security)
  • Re: How to block Package view on child Primary Sites?
    ... On each level the SMS Admins are full admins of the Primary Site server and his Childs. ... The Problem is that some Packages created at the Central Site should not be viewed by the Admins on the Child sites at all. ...
    (microsoft.public.sms.admin)
  • Re: Security permissions bug or inheritant permissions??
    ... There needs to be security ... > We had four domain admins for the 8 domains in our forest. ... > There is perceived granularity with admins and when I say admins I mean ... > controllers from administrator to domain admin to Enterprise Admin, ...
    (microsoft.public.win2000.active_directory)
  • Re: Restricting "Enterprise Admins" sec group
    ... admins" and "schema adminis" also have permissions in the down level child ... > block Enterprise Admins from any part of the forest. ... > Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.win2000.active_directory)
Loading