Re: Separating domain admins and enterprise admins

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Wed, 24 Oct 2007 22:12:25 +0200

it is IMPOSSIBLE to prevent members of administrators, domain admins and enterprise admins doing things you do not want them to do!

well, there is a solution....remove their direct or indirect membership for those groups

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"WolfK" <WolfK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:89ECD566-3299-4857-AF2D-1A1E9B1C754B@xxxxxxxxxxxxxxxx

We want to separate the functions of domain admins and enterprise admins, so
the former cannot make themselves enterprise admins. When I do this in a new
AD created in newly installed 2003 R2 servers, the domain admins keep modify
perms rights, as they are the owners. So I change the ownership to
Enterprise Admins and put an explicit deny on the enterprise objects, which
are in their own OU. Within minutes some system process goes through and
restores the default permissions. What's the point of having separation of
rights when the system thinks it knows best? Beside that point, how do I
stop this behavior? Is there some security template somewhere that I need to
modify?

Prev by Date: Configuration site in NLTEST
Next by Date: 2003 SP1 and SP2 mixed domain controllers
Previous by thread: Re: Separating domain admins and enterprise admins
Next by thread: AD Users and Computers Snapin
Index(es):
- Date
- Thread

Relevant Pages

Re: How to restrict changes to Domain Admin & Administrator Groups
... Groups so existing members cannot add other users to these groups? ... I only want our Enterprise Admins group to have change rights to ... Blocked inheritance with exception of Enterprise Admins ... privs do not get extra privs. ...
(microsoft.public.security)
Re: problem with "Restricted Groups" within a GPO linked to my dom
... You are saying that the users no longer appear as members of the RG but the ... logon again if you are using the test user account so that their security ... > groups: Administrators, Backup Operators ... > Domain Admins, Enterprise Admins ...
(microsoft.public.security)
Re: Container Administration where you can block out Enterprise Admins
... Hi Samuel, Enterprise Admins are a very power full group, Members of this ... by this is don't think the way of restrict members of the Enterprise Admins ... In your case use the Delegate Of Control Wizard to delegate rights to threes ...
(microsoft.public.win2000.active_directory)
Re: Blocking "Enterprise Admins" permissions
... You can not* restrict Enterprise Admins Group and should not do so, ... How ever if you not trust the members of the enterprise ... should only select member that you trust to be Enterprise Admins. ...
(microsoft.public.win2000.active_directory)
RE: RWW & OWA login issues
... >They are members of Domain Users, ... >Thanks - Joe ... >confers no rights. ...
(microsoft.public.windows.server.sbs)