Re: Restrict the Domain Admin

From: Christos Triantafyllidis (ctria_at_physics.auth.gr)
Date: 09/17/05

  • Next message: Pete Hunt: "Re: Restrict the Domain Admin"
    Date: Sun, 18 Sep 2005 00:13:53 +0300
    To: sf_mail_sbm@yahoo.com
    
    
    

    sf_mail_sbm@yahoo.com wrote:
    > Hi List,
    > Is there a way to restrict access of a Domain Admin?
    Nope.
    >
    > Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?
    This won't be a "Domain admin"
    >
    > We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around
    >
    > Thanks for your suggestions
    >
    > P.S. Environment: Windows (2000 & 2003) - Active Directory
    >

    The best you can use is limit your domain admin account to the people
    that should be domain admins. Add a new custom group for each privilege
    that Active Directory allows you to have, and make users members of the
    groups they should be.

    
    



  • Next message: Pete Hunt: "Re: Restrict the Domain Admin"

    Relevant Pages

    • Re: Restrict the Domain Admin
      ... > Is there a way to restrict access of a Domain Admin? ... can we allow a Dommain admin to do everything EXCEPT user management? ... that's the whole point behind a domain admin account. ...
      (Security-Basics)
    • Restrict the Domain Admin
      ... ('binary' encoding is not supported, ... Is there a way to restrict access of a Domain Admin? ... can we allow a Dommain admin to do everything EXCEPT user management? ...
      (Security-Basics)