Re: Grant Administrative Access to a Domain Controller

You are also wrong. From several angles.

First off, it isn't a simple case of Deny overrides Grant. There is a hierarchical structure for ACLing that has to be taken into account. An explicit Grant overrides an inherited Deny. Administrators/Domain Admins are granted explicit rights all over the directory. Look at the default Security Descriptors of AD objects sometime, they are the things that look like

>defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11
d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;R
PWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00a
a006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP
;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2
d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)


Second, on a DC, anyone with admin level rights can do pretty much anything they want. Again, just because you don't know/understand the steps needed to take control of the directory don't assume everyone else has that same shortcoming.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


nbel007 wrote:
You can even keep it simpler than that, if your domain group is nested
inside of the domain admins group, all you would have to do is is
simply deny the domain group full control at the domain root level of
active directory, since deny permissions within AD take precedence,
members of that group will have no permissions within AD, but will
still retain admin rights on the server itself, I have tested this and
found this to be the case.


MPerrault wrote:
Joe Richards [MVP] wrote:
Then you aren't dealing with very informed people. Getting into AD that
you have no rights in but you do have access to isn't all that involved.
If you already have rights it is that much easier.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Of course you can lock yourself out of AD. I've seen it happen all the
time.

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority

If you remove domain admins group from perms in AD you remove there
Domain Admins privledges, same if you Deny them access. They can still
log onto the machine but will have no AD control.

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority

.

Relevant Pages

  • Re: Unable to prevent OU deletion by Domain Admins?
    ... That's how ACLs work, or at ... Microsoft's own guidelines for parsing ACLs states that DENY ACLs ... I understand that domain admins have the delete and delete subtree ... I have a folder where Domain Users have Full control rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain admin rights across domains using 1 account
    ... -As I said before is local administrators and not Domain Admins. ... -If I recall correctlt, local Admins are given create right in GPO container, but not change or delete existing ones. ... To change that you can create a second security group and delegate the proper rights to that group, then nest both security groups or make the users member of both security groups. ... Of course you can do that only with one group, but delegating full admin rights to a new security group may not be the best answer, so, what you're doing with this is taking the advantage of the local administrators security group rights, and adding additional rights that you might need to a different group, then nesting both you should be able to acomplish what you want. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Strange problem in Active Directory
    ... Domain Admins or Enterprise Admins security groups. ... This posting is provided "AS IS" with no warranties, and confers no rights.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... Trusting our domain admins doesn't prevent them ... properly deny deletion rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... It's better practice to give rights to a group of users rather than take ... Domain Admins group to a very select few that can be trusted. ... > OU that I want to protect, and setting Deny All rights for the Domain ... > deletion ACLs are set to Deny. ...
    (microsoft.public.win2000.active_directory)