Re: Active Directory Admin privileges
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Fri, 28 Apr 2006 13:40:49 -0400
You can not protect your domain from people you give access to DCs; plain and simple. Some extremely intelligent people have been working on that problem for 6 years now and there isn't a solution that can't be bypassed. The solution therefore as to come from MS and the best attempt at it is coming out of Redmond in Longhorn and is called Read Only DCs with delegated administrator. It won't be a solution for everyone as there will be caveats. As to what they are it isn't known yet, they are still building the stuff. :)
Forests, regardless of the number of domains, should have one small (3-8) set of domain admins who are also enterprise admins who do management of all DCs. No one else should have any builtin rights such as account operator or server operator or even local logon onto Domain Controllers. I ran a Fortune 5 global company like that, 9 domains, 250,000 users, ~400 DCs spread across nearly every time zone in the world and all managed out of Dearborn Michigan by 3 engineers and a supervisor.
Anyway, in the last post I was directly responding to your comment of
"Previously, each campus was their own child domain, so each one could be a
domain admin, and not have to worry about them having access to sensitve
material back at the corporate HQ."
That is completely incorrect. Any time an admin in a child domain wanted access to sensitive material back at corp hq they could have gotten that access unless you were using some form of third party encryption that has no dependence on Windows security.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Dave wrote:
The child domains wasnt done for security reason, it was done because prior to that, each campus was it's own domain, completely disconnected from the other campsus. Each site had their own domain name, exchange server, etc. They were totally isolated. Politically, it was easier to bring them together as child domains, so the existing campus admins would still have a sence or control over thier network. When enough of those people left, and things progressed we were able to centralize things. The final domain collapse was just hte last step in that centralization..
As was pointed out, my big problem is with the servers being DC's and the need to let them manage them.
I was thinking of simply making them domain admins, but putting explicit deny's on the critical servers. Not the best solution, but makes it easier....
"Joe Richards [MVP]" wrote:
To add onto Roger's excellent response, you weren't as safe as you think you were with the child domains and protecting your HQ. You just didn't understand how Windows works. Had a child DA wanted to take over your HQ domain it wouldn't have been a lot of work for them to do so. The domain is not a security boundary in an AD forest.
- References:
- Re: Active Directory Admin privileges
- From: Roger Abell [MVP]
- Re: Active Directory Admin privileges
- From: Joe Richards [MVP]
- Re: Active Directory Admin privileges
- Prev by Date: Re: ActiveX needs to be enabled
- Next by Date: Re: Possible new exploit... Have you seen these?
- Previous by thread: Re: Active Directory Admin privileges
- Next by thread: Re: Active Directory Admin privileges
- Index(es):
Relevant Pages
|
