Re: Moving DC's From Default OU ?

then the business should be told that if they want security, this is NOT the
way

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jim B." <JimB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D053CA5-B026-4A78-AA25-1751E7A19930@xxxxxxxxxxxxxxxx
Thanks, and yes, I understand and agree...my problem is that the business
has
decided this.

Got any magic fixes?

Thanks Anyways!

"Jorge de Almeida Pinto [MVP - DS]" wrote:

In an effort to secure the AD, we want to move these DCs and all
other
computer objects in to another tree structure so that we can apply a
DENY
for
all permissions.

Make Sense? Hope so.

Heck no! if I'm an admin (domain admins, administrators, enterprise
admin,
etc) you can deny whatever you want to. It will not work! Why? Because
although I don't have permissions (the DENY) I can change them back so I
do
have access. How? Just by taking over the control! (take ownership and
change permissions again to whatever I want to)

this is like: THINKING you have a metal vault door, but in really it is a
plastic one and very easy to kick it down!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jim B." <Jim B.@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:37DE7758-3892-4CAE-BB07-7CA328800F2D@xxxxxxxxxxxxxxxx
Joe,

I've got one for you. My company is moving the production systems to a
utility computing environment that is hosted at a 3rd party data
center.
The
3rd party will be managing the O/S and hardware for us. One of their
requirements is that we establish a trust to their management domain
and
grant their management group access as members of the Built-in
Administrators
group on the DCs that they will be hosting for the production domains
and
forest. While setting up a resource domain would be the preferred
method,
it
is out of scope for this project.

In an effort to secure the AD, we want to move these DCs and all other
computer objects in to another tree structure so that we can apply a
DENY
for
all permissions.

Make Sense? Hope so.

Jim

"Joe Richards [MVP]" wrote:

It can be done safely but the more important question is why? I have
yet
in 6 years of hundreds of people in lots of companies trying to
convince
me of this to have heard a single good reason for it.

In almost every case it the thought to do this is based on some
misunderstanding on how Domain Security works or some stupid plan to
have a pretty hierarchy.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Chris wrote:
Is there any known issues from moving our DC's from the default
domain
controller OU?






.

Relevant Pages

  • Re: Odd Win2k3 Request
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Jorge de Almeida Pinto wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: More than 200 AD Security Groups
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Joe Kaplan-MS MVP Directory Services Programming ... also is permissions groups. ...
    (microsoft.public.windows.server.active_directory)
  • Re: user security tab
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.win2000.active_directory)
  • Re: ADMT v3 Automatically disables migrated account
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.windows.server.active_directory)
  • Re: Quick Global Catalog Question
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.windows.server.active_directory)