Re: securing critical member servers

On Jul 17, 12:40 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello zerbi...@xxxxxxxxx,

The point is that you can not remove domain admins from an OU. Because they
are domain admins they can revert all you have done to exclude them. Even
if it is hard, you hvae to trust them. That's the reason they are domain
admins and not normal users.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm



hello,

we have a windows 2003 active directory and have a couple of servers
used for a very critical application (banking industry).

these servers are placed in a dedicated organizational unit and do
receive standard group policy we apply to all member servers.

however, given the particular sensitivity of the application data held
in these servers we would like to logically/Active Directory "isolate"
it from the rest of the domain, where possible.
this does not involve ipsec (servers are in a separate firewalled dmz
and traffic is already ciphered), but we would like to use gpos to
remove regular domain admins from the possibility of administering the
servers and replacing them with a dedicated domain group.
What I need to do basically I think is to use OU delegation and remove
standard domain admins and explicitely add the group we want to use
for server administration.
Anybody can give any recommendations ? I've seen many hardening
guides, they do lock down many features but they don't bother much
with removing normal domain admins rights.

thanks!
zz- Hide quoted text -

- Show quoted text -

hello meinolf,

thanks for your answer.
but what if I place for example a deny permission for domain admins in
the ou object. wouldn't that disallow domain admins from administering
that particular ou ?

regards,
zz
.

Relevant Pages

  • Re: securing critical member servers
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... The point is that you can not remove domain admins from an OU. ... we have a windows 2003 active directory and have a couple of servers ... remove regular domain admins from the possibility of administering ...
    (microsoft.public.windows.server.active_directory)
  • Re: Question about a trust relationship and terminal serices
    ... one on my internal network and one on a dmz. ... >on to servers in dmz.org. ... the int.org Domain Admins are set as members of the ... > Bob Grabbe ...
    (microsoft.public.windows.server.active_directory)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.group_policy)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.security)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.active_directory)