Re: "enterprise admins" member of local domain administrators ?!
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 09/05/03
- Next message: haitham: "grant a user permission to install programs and drivers"
- Previous message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.09.05"
- In reply to: Jeff Smalley: ""enterprise admins" member of local domain administrators ?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 05 Sep 2003 15:18:58 GMT
You guys may find this article interesting. I have not tried it out myself
and have doubts that it is fullproof, but it is worth a read and may be
helpful to those who can not redesign their domain structure. --- Steve
http://www.lucent.com/livelink/161922_Whitepaper.pdf
"Jeff Smalley" <Fake@yahoo.com> wrote in message
news:2aef01c373b1$bce13fb0$a501280a@phx.gbl...
> Franz,
> I just posted a similar question recently and didn't get
> any feedback as to how to lock a non-root domain down from
> the root Enterprise Admin folks.
> I was teaching a group for a state agency and they were
> told to take out the Enterprise Admins group from their
> domain Administrators group. That would seem that that
> would prevent access but the Enterprise Admins have rights
> base on Security settings on all the Active Directory
> containers in the non-root domain. Running a simple test I
> logged in as an Enterprise Admin member and I couldn't add
> myself back as an Administrator but I could add myself to
> the Account operators. I have search through out
> Microsoft's website and can't find any recommendations as
> to securing your child domain. The only 2 design thoughts
> would be to have an empty root domain design of your
> forest or to create a seperate forest entirely. Both don't
> really help since you already have your AD rolled out.
>
> If you find anything please post it.
>
> Regards,
> Jeff Smalley
>
>
> >-----Original Message-----
> >The following question is in a Windows 2003 server
> environnement, but there
> >is no Windows 2003 server security NG, so I post the
> question here (is in
> >W2K probably the same problem):
> >
> >We have a parent domain "parent.com" and a child
> domain "child.parent.com".
> >The CEO of the child domain asked me if members
> (including administrators)
> >can access data in the child domain by default. According
> to Microsoft, a
> >domain is a security boundary and I told that access to
> data in
> >"child.parent.com" for members of "parent.com" must
> explicitely granted.
> >
> >No I saw that the "Enterprise Admins" group of the parent
> domain is
> >automatically member of every domain administators local
> group in every
> >domain in the forest! So if you intend to grant access to
> data to the local
> >administrators group, members of the "enterprise admin"
> group can
> >automatically access this data.
> >
> >This is unacceptable for the CEO of the child domain. Is
> it possible, and
> >what are the consequences, when we remove the "enterprise
> admins" group form
> >the local administrators group in the child domain? (We
> also run an Exchange
> >2003 installation which organisation spans the parent and
> child domain). We
> >have seen, that on member servers, the "Enterprise Admin"
> group is not
> >automatically member of the local administrators group,
> but there is
> >sensitive data on the domain controllers.
> >
> >Thanks in advance for any help or links to MS documents
> about this subject.
> >Franz
> >
> >
> >.
> >
- Next message: haitham: "grant a user permission to install programs and drivers"
- Previous message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.09.05"
- In reply to: Jeff Smalley: ""enterprise admins" member of local domain administrators ?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
