Re: Restrict the Domain Admin

From: cc (cc_at_belfordhk.com)
Date: 09/20/05

  • Next message: sf_mail_sbm_at_yahoo.com: "Re: Security Training for Company's Employee"
    Date: Tue, 20 Sep 2005 14:56:18 +0800
    To: security-basics@securityfocus.com
    
    

    sf_mail_sbm@yahoo.com sighed and wrote::

    > Hi List,
    > Is there a way to restrict access of a Domain Admin?

    Here's my $0.02.

    By restricting the access of a domain admin, you've already
    defeated the purpose of a domain admin. The main point of
    the matter is that in order for one person to be a domain
    admin, you must have extraordinary (or maybe just special)
    trust in both the person's ability and their standards of
    operating procedures. By restricting access to the domain
    admin, you are in essence saying, "Here's the domain access,
    but we don't trust you enough to give you the full 9 yards
    so we're restricting your access to these privileges."

    If you don't have 100% confidence in either the person's
    ability or their ethics, you really shouldn't be giving
    the person that much access to begin with.

    As some other poster (Mr. Armfield) mentioned here, eventually
    you'll need a person who has access to the whole nine yards.


  • Next message: sf_mail_sbm_at_yahoo.com: "Re: Security Training for Company's Employee"

    Relevant Pages

    • RE: Restrict the Domain Admin
      ... > Is there a way to restrict access of a Domain Admin? ... I would not recommend messing with the Domain Admin rights. ... Control the groups that your new group is a member of. ...
      (Security-Basics)
    • Re: Restrict the Domain Admin
      ... > Is there a way to restrict access of a Domain Admin? ... can we allow a Dommain admin to do everything EXCEPT user management? ... that's the whole point behind a domain admin account. ...
      (Security-Basics)
    • Restrict the Domain Admin
      ... ('binary' encoding is not supported, ... Is there a way to restrict access of a Domain Admin? ... can we allow a Dommain admin to do everything EXCEPT user management? ...
      (Security-Basics)
    • RE: How do I prevent users with DOMAIN ADMIN accessing the entire
      ... >> think there should be an ability with WSS to control what DOMAIN ADMIN has ... >> WSS Admin fat fingers there account. ... >> Bob Fox ... >>> I think there should be an ability with WSS to control what DOMAIN ADMIN has ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: local policy and loging on interactivly
      ... If your computer is in domain, your domain admin may have restricted your ... ability to log on locally to just one computer. ... > If this is a domain computer you can use domain/OU policy to override ... > unless it involved moving it from a domain to a workgroup which even then ...
      (microsoft.public.win2000.security)