Re: Moving DC's From Default OU ?
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Wed, 23 Aug 2006 20:54:13 +0200
computer objects in to another tree structure so that we can apply a DENYIn an effort to secure the AD, we want to move these DCs and all
other
for
all permissions.
Make Sense? Hope so.
Heck no! if I'm an admin (domain admins, administrators, enterprise admin,
etc) you can deny whatever you want to. It will not work! Why? Because
although I don't have permissions (the DENY) I can change them back so I do
have access. How? Just by taking over the control! (take ownership and
change permissions again to whatever I want to)
this is like: THINKING you have a metal vault door, but in really it is a
plastic one and very easy to kick it down!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jim B." <Jim B.@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:37DE7758-3892-4CAE-BB07-7CA328800F2D@xxxxxxxxxxxxxxxx
Joe,
I've got one for you. My company is moving the production systems to a
utility computing environment that is hosted at a 3rd party data center.
The
3rd party will be managing the O/S and hardware for us. One of their
requirements is that we establish a trust to their management domain and
grant their management group access as members of the Built-in
Administrators
group on the DCs that they will be hosting for the production domains and
forest. While setting up a resource domain would be the preferred method,
it
is out of scope for this project.
In an effort to secure the AD, we want to move these DCs and all other
computer objects in to another tree structure so that we can apply a DENY
for
all permissions.
Make Sense? Hope so.
Jim
"Joe Richards [MVP]" wrote:
It can be done safely but the more important question is why? I have yet
in 6 years of hundreds of people in lots of companies trying to convince
me of this to have heard a single good reason for it.
In almost every case it the thought to do this is based on some
misunderstanding on how Domain Security works or some stupid plan to
have a pretty hierarchy.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chris wrote:
Is there any known issues from moving our DC's from the default domain
controller OU?
.
- Follow-Ups:
- Re: Moving DC's From Default OU ?
- From: Jim B.
- Re: Moving DC's From Default OU ?
- References:
- Re: Moving DC's From Default OU ?
- From: Joe Richards [MVP]
- Re: Moving DC's From Default OU ?
- Prev by Date: Re: ADUC Question
- Next by Date: Re: Adding Windows 2003 R2 DCs to a Windows 2000 Native Forest/Domain
- Previous by thread: Re: Moving DC's From Default OU ?
- Next by thread: Re: Moving DC's From Default OU ?
- Index(es):
Relevant Pages
|
