Re: full sharing between domain admins
From: Steven L Umbach (n9rou_at_attbi.com)
Date: 04/29/03
- Next message: Mohammad Saiful Islam: "preventing logon to the workstatioin more than one in the network."
- Previous message: Steven L Umbach: "Re: Local Policies and Roaming Profiles Prob"
- In reply to: Jason Garms [MS]: "full sharing between domain admins"
- Next in thread: senol: "One more thing : full sharing between domain admins"
- Reply: senol: "One more thing : full sharing between domain admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 01:19:15 GMT
Senol. They could also remove the domain administrator from the
administrators group on their machine and add themselves, however as Jason
mentions a determined domain administrator ultimately has ways to gain
control again of any domain machine - using restricted groups would put
themselves back in local administrators group for instance. Solution may be
to remove their computers from the domain or possibly use third party
encryption tool to encrypt sensitive data (EFS can be accessed by domain
administrator via recovery agent) --- Steve
"Jason Garms [MS]" <jasong@microsoft.com> wrote in message
news:01d001c30dc6$2d939c00$a501280a@phx.gbl...
> Hi Senol,
>
> In general, it's not a good practise to have your domain
> admins logon to workstations as domain admins all the
> time. They should have 2 accounts -- one they use for
> daily activities, such as logging on to workstations,
> reading email, surfing the web, writing documents; and a
> second account that is a domain administrator that is only
> ever used to perform administrative functions. Then the
> user can use "secondary logon" (runas) to perform
> administrative actions with his/her administrative account.
>
> Also, to your specific question about denying them access
> to the adminsitrative share of other domain admins, it's
> ultimately a lost cause, since domain admins are in fact
> ultiamtely domain admins, and as long as the workstations
> are part of the domain, a domain admin can do things to
> get access to it. However, you could achieve your request
> by adding the other domain admin accounts to the "deny
> network access" user logon rights. However, this will not
> only prevent them from accessing the adminsitrative
> shares, but also any share, and other networking function.
> Just realize that a deteremined domain administrator could
> still change this -- by using group/domain policy.
>
> best,
> -jasong
>
> >-----Original Message-----
> >We have a domain with more than one domain admins. Every
> domain admin has
> >individual pc's. If an admin logons to his/her individual
> pc with his/her
> >admin account then they have full acess to others'
> default admin shares. We
> >want to prevent this default full sharing between domain
> admins. How can we
> >do?
> >
> >
> >.
> >
- Next message: Mohammad Saiful Islam: "preventing logon to the workstatioin more than one in the network."
- Previous message: Steven L Umbach: "Re: Local Policies and Roaming Profiles Prob"
- In reply to: Jason Garms [MS]: "full sharing between domain admins"
- Next in thread: senol: "One more thing : full sharing between domain admins"
- Reply: senol: "One more thing : full sharing between domain admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
