Re: How to restrict changes to Domain Admin & Administrator Groups
- From: "Shenan Stanley" <newshelper@xxxxxxxxx>
- Date: Sat, 25 Apr 2009 11:24:01 -0500
Stan wrote:
Is there a way to protect W2003 AD Domain Admin & Administrator
Groups so existing members cannot add other users to these groups ?
I only want our Enterprise Admins group to have change rights to
these groups.
I have tested
Created OU- Test,
Removed write permission for domain admins on this Test OU.
Blocked inheritance with exception of Enterprise Admins
Then moved Domainadmin group to this OU,
Removed write permission and removed self as member for this group
But after 1 hr all the settings are rolled back..
If this is not possible and Micirsift does not recommend this can
you point me to MS Documentation
I need to show our auditors this kind of change is not possible.
Who cares about the auditors at this point?
If you have domain admins/administrator group members you cannot trust with
the power this gives them - they should not be in those groups at all.
That's a social/political issue - not a technical one.
Don't complicate a simple problem - those who cannot be trusted with extra
privs do not get extra privs.
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
.
- References:
- Prev by Date: Re: Remote permissions?
- Next by Date: Network of 1.9 Million Malware-Infected Computers Controlled by Cybercriminals
- Previous by thread: Re: How to restrict changes to Domain Admin & Administrator Groups
- Next by thread: Network of 1.9 Million Malware-Infected Computers Controlled by Cybercriminals
- Index(es):
Relevant Pages
|
