RE: How to prevent some specific Domain Admin Accounts from creating U
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Thu, 7 Feb 2008 17:09:33 +0000 (UTC)
Hello Carl,
Have a look here from MVP Laura Hunter, found in another posting:
LauraEHunterMVP:
kamleshqwalani is incorrect - if you add a user to the Built-In Administrators group on a domain controller, that user becomes an administrator on all domain controllers in your domain, and by extension a Domain Admin. (kamleshqwalani is correct about local Administrator membership on workstations and member servers, but not DCs.)
The difference between making a user a member of Administrators on a DC versus making them a Domain Admin is an implementation detail - for example, Domain Admins are members of the local Administrators group on each domain-joined workstation and member server, BUILTIN\Administrators are not, and BUILTIN\Administrators is a Domain Local group whereas Domain Admins is a global group. So making a user a Domain Admin will automatically profer certain rights to domain-joined workstations and servers that BUILTIN\Administrators does not...but at the end of the day a member of BUILTIN\Administrators on a DC still has the effective rights of a Domain Admin, and so a determined user could figure out how to grant themselves whatever rights they don't have by default on workstations/member servers.
From a security perspective, BUILTIN\Administrators membership should betreated as the security equivalent of Domain Admins, even though there are certain implementation details that may differ.
Accepted Solution
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I've done this before. (or something similar to this.)
If the groups only needs to administer the DCs, they don't need to be
in the domain admins group. They only need to be in the Built-in
Administrators group.
The process to do this is slightly different between a 2000 forest and
a 2003 forest.
Create 2 groups. (i.e.- DCAdmins and DenyAD. This are mode up
groups. call them whatever you want.)
Nest the DCadmins in the Administrator group (this gets your account
the ability to administer the DC.) Next, add the DCadmins group in
the DenyAD group.
The next piece is tricky since it requires denies. I have to find my
old doc on how it was done. BUT IT IS NOT a blanket deny over the
DOmainNC, configuration, and Schema. the account that is logging into
the DC needs to be able to read a n attriute so that it knows it is
allow to login to the machine (this is for 2003 forests.)
.
- References:
- Prev by Date: RE: How to prevent some specific Domain Admin Accounts from creating U
- Next by Date: Re: How to prevent some specific Domain Admin Accounts from creating U
- Previous by thread: RE: How to prevent some specific Domain Admin Accounts from creating U
- Next by thread: Re: How to prevent some specific Domain Admin Accounts from creating U
- Index(es):
Relevant Pages
|
