Re: Separating domain admins and enterprise admins
- From: "Austin Osuide" <austin@xxxxxxxxxxx>
- Date: Thu, 18 Oct 2007 21:04:59 +0100
Hi Wolfk,
First off, Don't make anyone you don't trust or who doesn't follow policy a domain admin of any domain in your forest.
To understand what's going on with the reversion of permissions, you need to read about the "adminSDholder process"
A treatise I enjoy can be found here: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx.
There are other links within the blog which also add info.
Regards,
Austin
"WolfK" <WolfK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:89ECD566-3299-4857-AF2D-1A1E9B1C754B@xxxxxxxxxxxxxxxx
We want to separate the functions of domain admins and enterprise admins, so
the former cannot make themselves enterprise admins. When I do this in a new
AD created in newly installed 2003 R2 servers, the domain admins keep modify
perms rights, as they are the owners. So I change the ownership to
Enterprise Admins and put an explicit deny on the enterprise objects, which
are in their own OU. Within minutes some system process goes through and
restores the default permissions. What's the point of having separation of
rights when the system thinks it knows best? Beside that point, how do I
stop this behavior? Is there some security template somewhere that I need to
modify?
.
- Prev by Date: AD Users and Computers Snapin
- Next by Date: Re: Restrict access by IP (Log on to tab)
- Previous by thread: Re: Separating domain admins and enterprise admins
- Next by thread: Re: Separating domain admins and enterprise admins
- Index(es):
Relevant Pages
|
Loading
