Re: Settle a Administrator's dispute

Ok, that was what I wanted to confirm.
Any away I of course agree with you when you say domain aren't security
Boundaries, only forests are security Boundaries and that domains should not
be used as administrative boundaries
Domains are the boundaries for administration and for certain security
policies, such as password complexity and password reuse rules, which cannot
be inherited from one domain to another.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uxXpA$ZuGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Sorry I think I misread. I wasn't saying that administrators couldn't add
themselves to other groups. I was saying the original question was a moot
point because both admins and domain admins (and even serv ops and others)
can give themselves as much rights in the forest as they want so even if
someone took some rights away from the administrator account, you didn't
actually stop anything because they can just give those rights back.

Aside from that, by default, admins and domain admins have create and
modify rights in the directory for the default NC of the Domain they are
part of.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jorge Silva wrote:
So my setence was correct?
The bultin\Admnistrators can add himselfs to other security groups.



.

Relevant Pages

  • Re: Delegate certain rights to a single Domain Controller
    ... Please note that this hack does not eliminate all possible security risks, ... > This posting is provided "as is" with no warranties and confers no rights ... >> If you think your domain admins can only modify stuff in their own ... >>> cannot modify DCs across domains. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Strange problem in Active Directory
    ... Domain Admins or Enterprise Admins security groups. ... This posting is provided "AS IS" with no warranties, and confers no rights.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Network access not working
    ... no rights. ... a similar folder with the same accesses. ... have specific security assigned versus everyone having full control. ... Should I instead set it for domain admins and myself and ...
    (microsoft.public.windows.server.security)
  • NTFS Security gone nuts
    ... I have a folder that my users have full access to. ... add an individual to the security with full rights and it ... all rights for Domain Admins and System were removed. ...
    (microsoft.public.win2000.security)
  • Re: Secure shared web hosting using MAC Framework
    ... run the web server and web users shell in a jail, ... Those rights should have priority on any traditional unix file ... This directive allows you to disable certain functions for security reasons. ... Web users and executed web scripts shouldn't be able to read ...
    (FreeBSD-Security)