Re: Strange Admin Security Phenomenon

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 02/07/03

• Next message: Joe Richards [MVP]: "Re: Reset Passwords"
• Previous message: Adam: "NTFS"
• In reply to: Lyndon Frei: "Strange Admin Security Phenomenon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Fri, 7 Feb 2003 17:53:11 -0500

> From now on an enterprise admins do not have he power to change something
in
> the child domain. Correct me if that isn't true...

That isn't true. You can not effectively remove the ability of an Enterprise
Administrator from getting in and manipulating a child domain.

> But now comes the strange thing. Remeber I removed the ACE from the local

This is due to the adminSDHolder. It is by design to protect the acl's on
administrator and other high power native accounts.

--
Joe Richards
www.joeware.net
---
"Lyndon Frei" <lyndon.frei@nospam.innobit.ch> wrote in message
news:#YbeeufzCHA.2512@TK2MSFTNGP11...
> Hi
>
> I'm trying to limit administrative access from a root domain down to a
child
> domain.
> I removed all entries of the Enterprise Administrators group in the child
> domain's ACL in Active Directory.
>
> That are the membership in the domain local admin group, the access
control
> entry in the security tab of the child domain root object and at last the
> access control entry in the local domain administrator account itself. All
> those I removed.
>
>
> But now comes the strange thing. Remeber I removed the ACE from the local
> adminstrator acccount? Well always about 20 minutes after I do that, the
> enterprise admin group reappears in the account's ACE, with full control!
>
> Has somebody also witnessed this strange behaviour?!? Did I miss something
> in group policy or did Microsoft hardcode that automation in to the OS
> code?!?
>
> I would be really glad for a hint!
>
> TIA
>     Lyndon
>
>

---

• Next message: Joe Richards [MVP]: "Re: Reset Passwords"
• Previous message: Adam: "NTFS"
• In reply to: Lyndon Frei: "Strange Admin Security Phenomenon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: User Placement in Child Domain Based Forest ... Systems Administrator ... Because either the Administrators at top root can administer ... adding them self to higher security groups. ... create the child domain for the wrong reasons, ... (microsoft.public.windows.server.active_directory) Re: Strange Admin Security Phenomenon ... This is AdminSDHolder SD applied. ... > entry in the security tab of the child domain root object and at last the ... > access control entry in the local domain administrator account itself. ... > enterprise admin group reappears in the account's ACE, ... (microsoft.public.win2000.security) Re: Confused ... >By default the Enterprise Admins are member of any Child ... >Administrators group so they are administrators of the ... >required groups so it can administer the Child Domain ... (microsoft.public.win2000.active_directory) Re: Enterprise admins - help ... > As a root domain administrator (a member of Enterprise Admins group), ... > have admins right on both root and child domain controllers. ... This is because the DA is a member of the local administrators group for all ... (microsoft.public.windows.server.active_directory) Re: Child Domain Administration ... of our clients is maintained in that domain. ... id's to each child domain as then you get into a password nightmare. ... it's not such a great idea to use the enterprise admins ... > able to fully administer all objects in the domain without much change - ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)