Re: securing critical member servers

Hello zerbie45@xxxxxxxxx,

An admin is an admin, is an admin..................

What about if you create a workgroup server in your network and use Terminal services for using the application? Then you can have special admins for that server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

On Jul 17, 12:40 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

Hello zerbi...@xxxxxxxxx,

The point is that you can not remove domain admins from an OU.
Because they are domain admins they can revert all you have done to
exclude them. Even if it is hard, you hvae to trust them. That's the
reason they are domain admins and not normal users.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
hello,

we have a windows 2003 active directory and have a couple of servers
used for a very critical application (banking industry).

these servers are placed in a dedicated organizational unit and do
receive standard group policy we apply to all member servers.

however, given the particular sensitivity of the application data
held
in these servers we would like to logically/Active Directory
"isolate"
it from the rest of the domain, where possible.
this does not involve ipsec (servers are in a separate firewalled
dmz
and traffic is already ciphered), but we would like to use gpos to
remove regular domain admins from the possibility of administering
the
servers and replacing them with a dedicated domain group.
What I need to do basically I think is to use OU delegation and
remove
standard domain admins and explicitely add the group we want to use
for server administration.
Anybody can give any recommendations ? I've seen many hardening
guides, they do lock down many features but they don't bother much
with removing normal domain admins rights.
thanks!
zz- Hide quoted text -
- Show quoted text -

hello meinolf,

thanks for your answer.
but what if I place for example a deny permission for domain admins in
the ou object. wouldn't that disallow domain admins from administering
that particular ou ?
regards,
zz


.

Relevant Pages

  • Re: Question about a trust relationship and terminal serices
    ... one on my internal network and one on a dmz. ... >on to servers in dmz.org. ... the int.org Domain Admins are set as members of the ... > Bob Grabbe ...
    (microsoft.public.windows.server.active_directory)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.active_directory)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.group_policy)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.security)
  • Re: securing critical member servers
    ... The point is that you can not remove domain admins from an OU. ... receive standard group policy we apply to all member servers. ... remove regular domain admins from the possibility of administering the ...
    (microsoft.public.windows.server.active_directory)