Re: Restrict User account creation
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sun, 13 May 2007 14:43:11 -0500
"Net Admin" <NetAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5A6CE90D-6413-4A35-ACC9-4E034543C134@xxxxxxxxxxxxxxxx
I know that Domain Admins are the Gods of the domain but I must ask this
question..
Has anyone found a way to restrict a Domain Admin member from creating new
user accounts?
Of course not. Domain Admins have the right to take ownership of any
object so even if you apply restrictions they can just take ownership and
put it back.
Even then they can install drivers and services that work as part of the
System (or debug existing processes) and with enought cleverness and
tools get around most anything.*
*Maybe not "EFS encrypted files" if the specific admin is not also an
Encryption Recovery Agent. But even then the Admin could log on
as someone else (by first changing the password) and thus become either
the user or the recovery agent -- unless you have carefully removed the
private key for all the Recovery Agent cert(s) from all machines where
the resource might be located.
If not then I will demote this person to Domain User and delegate the
neccessary rights.
Correct. It is easier in almost all cases to never GIVE the excessive
privileges but only give those necessary and avoid trying to remove the
excess.
Thank you
.
- Prev by Date: Re: two DC lost communication.
- Next by Date: Suddenly can not add computers to the Domain after server crash
- Previous by thread: Re: Restrict User account creation
- Next by thread: Suddenly can not add computers to the Domain after server crash
- Index(es):
Relevant Pages
|
