Re: Prevent changes to Administrator password
- From: John Policelli [MVP - DS] <JohnPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Oct 2008 20:00:01 -0700
I think you missed something...
The group is used in ACEs on the AdminSDHolder ACL. I did not mean to
recommend modifying the ACL on the group itself.
By using a group in the deny ACEs, you can add/remove users from this group
as required. This has always been a best practice for assigning permissions.
My point about testing:
1) I did not have the time to test this myself, so I am not 100% certain it
will work. I have done something similar in the past, so I am pretty
confident.
2) Anytime you make a change to your production environment, you need to
test it first. This is even more applicable when you are denying permissions
to DAs on the AdminSDHolder. Don't forget, AdminSDHolder protects a large
number of groups, and effectively users.
--
Please rate my posts: helpful/not helpful/answer/not an answer.
This posting is provided "AS IS" with no warranties and confers no rights!
ALWAYS TEST!
Blog: http://johnpolicelli.wordpress.com
"Brandon McCombs" wrote:
John Policelli [MVP - DS] wrote:.
I agree with everyone on this post...you should not give DA if you do not
trust someone. However, the reality is there are cases where you may need to
give DA to someone. Also, just because you do not want them to change the
password of the Administrator account in the root domain, does not mean you
do not trust them. So I am giving you a potential option to help you mitigate
the risk of these individuals changing the password on the
RootDomain\Administrator account.
First, you need to understand that permissions on the
RootDomain\Administrator account are applied via AdminSDHolder so you need to
modify the permissions on the AdminSDHolder object in the root domain. Keep
in mind that doing this will prevent these individuals from resetting the
password for any user that is a member of a group that is protected by
AdminSDHolder and prevent these users from modifying the ACL on any user that
is a member of the AdminSDHolder group. You need to decide whether this is
feasible based on your delegation requirements. If you decide that this is
feasible, this is something you can TEST. Remember, these are pretty serious
changes, so test the heck out of it in your environment before implementing
it into production.
If you are just having him create a group and modify it using ACLs then
if anything goes wrong it can easily be undone by removing the admins
from the new group (there are other ways too), right? If so, why label
this as a serious change? Did I miss something?
1) Create a group in your root domain (call it whatever you want, but I'll
refer to it as "Restricted Admins")
2) Modify the AdminSDHolder in your root domain as follows:
- Deny the Restricted Admins group the Reset Password permission
- Deny the Restricted Admins group the Write Permissions permission
You can view the following for more information on modifying AdminSDHolder
permissions.
- References:
- Prevent changes to Administrator password
- From: Taz1972
- RE: Prevent changes to Administrator password
- From: John Policelli [MVP - DS]
- Re: Prevent changes to Administrator password
- From: Brandon McCombs
- Prevent changes to Administrator password
- Prev by Date: Re: time synch problem
- Next by Date: Re: time synch problem
- Previous by thread: Re: Prevent changes to Administrator password
- Next by thread: Re: Prevent changes to Administrator password
- Index(es):
Relevant Pages
|
