RE: How to prevent some specific Domain Admin Accounts from creating U
- From: Carl Lee <Carl Lee@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Feb 2008 08:48:06 -0800
I've done this before. (or something similar to this.)
If the groups only needs to administer the DCs, they don't need to be in the
domain admins group. They only need to be in the Built-in Administrators
group.
The process to do this is slightly different between a 2000 forest and a
2003 forest.
Create 2 groups. (i.e.- DCAdmins and DenyAD. This are mode up groups.
call them whatever you want.)
Nest the DCadmins in the Administrator group (this gets your account the
ability to administer the DC.) Next, add the DCadmins group in the DenyAD
group.
The next piece is tricky since it requires denies. I have to find my old
doc on how it was done. BUT IT IS NOT a blanket deny over the DOmainNC,
configuration, and Schema. the account that is logging into the DC needs to
be able to read a n attriute so that it knows it is allow to login to the
machine (this is for 2003 forests.)
.
- Follow-Ups:
- Re: How to prevent some specific Domain Admin Accounts from creating U
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: How to prevent some specific Domain Admin Accounts from creating U
- From: Marcin
- RE: How to prevent some specific Domain Admin Accounts from creating U
- From: Meinolf Weber
- Re: How to prevent some specific Domain Admin Accounts from creating U
- Prev by Date: Re: Missing Event ID's and Errors following DCPROMO
- Next by Date: RE: How to prevent some specific Domain Admin Accounts from creating U
- Previous by thread: audit administrator login
- Next by thread: RE: How to prevent some specific Domain Admin Accounts from creating U
- Index(es):
Relevant Pages
|
Loading
