Re: Moving DC's From Default OU ?

LOL. Excellent example of what I said. Complete misunderstanding on how Domain Security works.

Once the outsourcing company has rights to make admin changes on a single DC they own your entire forest. You cannot protect against this in any way you dream up because it just cannot be done with Active Directory.

You might as well make them Domain and Enterprise Admins, at least you will be honest with yourself them on what rights they have.

Again, I don't care who told you otherwise, you cannot protect the AD from someone you give admin level rights or in fact even server operator rights or even less.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jim B. wrote:
Joe,

I've got one for you. My company is moving the production systems to a utility computing environment that is hosted at a 3rd party data center. The 3rd party will be managing the O/S and hardware for us. One of their requirements is that we establish a trust to their management domain and grant their management group access as members of the Built-in Administrators group on the DCs that they will be hosting for the production domains and forest. While setting up a resource domain would be the preferred method, it is out of scope for this project.

In an effort to secure the AD, we want to move these DCs and all other computer objects in to another tree structure so that we can apply a DENY for all permissions.

Make Sense? Hope so.

Jim

"Joe Richards [MVP]" wrote:

It can be done safely but the more important question is why? I have yet in 6 years of hundreds of people in lots of companies trying to convince me of this to have heard a single good reason for it.

In almost every case it the thought to do this is based on some misunderstanding on how Domain Security works or some stupid plan to have a pretty hierarchy.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Chris wrote:
Is there any known issues from moving our DC's from the default domain controller OU?
.

Relevant Pages

  • Re: Admin with no Rights to Active Directory
    ... domain admin access rights and even Enterprise Admin rights. ... > changes to Active Directory ...
    (microsoft.public.exchange2000.active.directory.integration)
  • Re: Folder Access
    ... user was accidently deleted from active directory. ... Now that user cannot access this folder in question. ... admin does not have rights to folder either. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
    ... Admin rights is a very simple story. ... relying upon the firewall to block accordingly the access to workstations, ... don't have the same level of packet-filtering in your favor that ISA ...
    (microsoft.public.windows.server.sbs)
  • RE: Impact of removing administrative rights in an enterprise running XP
    ... While it is true that you can push out patches and software via group ... reporting mechanisms for software/patch installations whatsoever. ... Quite often, the admin rights are ...
    (Focus-Microsoft)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)