Re: restricting admin access to network

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 11:30:15 -0400

In news:OdEi2dguFHA.3932@TK2MSFTNGP15.phx.gbl,
Steven L Umbach <n9rou@nospam-comcast.net> typed:
> First off in a root domain you really can not prevent a member of the
> administrators group for the "domain" or domain admins group from
> becoming whatever they want including enterprise or schema
> administrators. You really should only need a couple of
> administrators [or domain admins] for the domain. You can however add
> regular domain users to the local administrators group of any domain
> computer that is not a domain controller. You can do it via a Group
> Policy startup script using the net localgroup command or use
> Restricted Groups via a Group Policy linked at the OU level and then
> add the domain computers you want them to be local administrators on
> into that OU. You may want to use "member of" option when you do
> this, create a global group that contains the users you want, then
> add it to administrators. Your Windows 2000 computers will need to be
> at SP4 for "member of" to work right. You do not have to use "member
> of" but the other option will replace and enforce current membership
> in the local administrators group on those domain computers which may
> or may not be desirable for you. Once you have that make sure that
> membership of administrators [for the domain], domain admins,
> enterprise admins, and schemas admins is what you want and monitor it
> closely and be sure that auditing of account management is enabled in
> Domain Controller Security Policy so that it can help you monitor
> changes in group membership. -- Steve

When you post in here, always include your version, SP level, and mode (if
applicable) of Outlook - you can find this information in Help | About. Also
include the type of mail account(s) you use and any other pertinent details.

....in addition, you can add domain groups to local workstation groups....I
usually create a group in AD called "Local Admins" and add that group to
every workstation's local administrators group - which you can do
centrally - and add the domain users/groups I wish to that group.
>
> http://www.microsoft.com/technet/security/default.mspx --- TechNet
> Security home page
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:D628EF43-42A6-4C6C-A231-C45BEC5D8D69@microsoft.com...
>> I need to figure out a way to prevent the network admins from
>> promoting themselves to enterprise/schema admins. I have already
>> set up the restricted
>> group, but they can still add themselves to these groups to bypass
>> this. Questions:
>> -1) How can I set the permissions so only enterprise admin can edit
>> all GPO's? I will
>> then delegate specific policies to specific people.
>> 2) Can I modify the default domain GPO ACL to only have enterprise
>> admin edit it? I see in the GPMC that I can remove the delegation
>> to domain admins. Is this how I go about this?
>> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions
>> from my
>> guys, but then it gets really hard for them to do their work on
>> client PC's since they have to log in as local admin. What can I do
>> to ease this pain and remove domain admin for a few more guys? I
>> have added them to the administrators group in AD but that did not
>> seem to help. 4) Right now the group "domain admins" is added to the
>> remote tab of the system tab. Should I replace this with the
>> "Remote Desktop Users" group? I
>> am also considering customizing this per server, is this safe?
>>
>> I realize that I am not doing things the right way and that none of
>> use should log onto every/any PC as a domain admin, but I do not
>> have a more efficient method yet.
>>
>> TIA