Re: ACL Issue - Easy Question

From: Tom Baker (tdbaker@hotmail.com)
Date: 08/09/02 

From: "Tom Baker" <tdbaker@hotmail.com>
Date: Fri, 9 Aug 2002 14:07:35 -0400

The problem is they need full rights to work on the DC because they are the
local office IT staff. However, what I do not want them to have the ability
to do is add or remove people from Domain Admins or Enterprise Admins. By
default they can being and Administrator. How would you delegate permission
so that they have all the necessary rights to administer the machine (add
users, install software, create computer accounts, install drivers, reboot
etc) while restricting their ability to make changes to security groups?

"Ben Smith [MS]" <bensmi@microsoft.com> wrote in message
news:MPG.17bd8507331a63ec9899ae@msnews.microsoft.com...
> In article <uAoyZf7PCHA.2608@tkmsftngp10>, Tom Baker
> (tdbaker@hotmail.com) writes...
> > Hello Everyone,
> >
> > I have a situation where a few people need to be in the Administrator
group
> > on the DC's in our domain. What we do not want the mto be able to do is
add
> > either themselves or other people to the Domain Admins or Enterprise
Admins
> > group. My assumption is that I can go to the security tab on each of
these
> > objest and remove the the WRITE and Add Self permissions from the
> > Administrators groups set of permissions. I just want to make sure that
as
> > soon as I do that, my weekend in going to be spent restoring AD because
I
> > have screwed the system up.
> >
> > Any feedback would be appreictaed.
> >
> > Tom Baker
> >
> >
> >
>
>
> Administrators are administrators. You should consider delegating
> the authority to the non-adminstrators rather the altering the built-
> in rights/permissions on the Administrators group.
>
> --
> Ben Smith
> Microsoft Training and Certification
> Are you secure? http://www.microsoft.com/security
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Relevant Pages

  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Giving admins Local Admin to DCs not Domain Admins
    ... out permissions over the whole domain. ... Althought I can give the users PowerUser or LocalLogon rights via ... Can you with Server 2003 give a user just local admin to a DC ... but there's no such thing as local administrators ...
    (microsoft.public.security)
  • Re: Change permissions for domain administrators group
    ... changing permissions or configurations to prevent domain admins or administrators from doing things, is just a waste of time. ... I need to change the rights for the domain administrators group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Settle a Administrators dispute
    ... if a user is in Administrators or Domain Admins they can give themselves as much rights as they want in the forest. ... Our disagreeable admin says that if a Global Group is put into the Administrators Local Group on the DC but not in the Domain Admins Global Group, the users of the Global Group do not have the same permissions as the Administrator account -- particularly to add/modify/delete user/computer/group accounts in AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Settle a Administrators dispute
    ... I wasn't saying that administrators couldn't add themselves to other groups. ... I was saying the original question was a moot point because both admins and domain admins can give themselves as much rights in the forest as they want so even if someone took some rights away from the administrator account, you didn't actually stop anything because they can just give those rights back. ...
    (microsoft.public.windows.server.active_directory)