Re: Restricting Domain Admins
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/01/05
- Next message: Richrut: "listing of all permissions on a server"
- Previous message: Lee: "Restricting Domain Admins"
- In reply to: Lee: "Restricting Domain Admins"
- Next in thread: Joe Richards [MVP]: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Jun 2005 12:23:23 -0500
The operating system automatically checks permissions on those accounts and
other objects/containers and reapplies default permissions every hour which
is what you are seeing and you may see that being recorded in the security
log. This is done to prevent denial of service type attacks against the
operating system. There is no way to effectively restrict a domain
administrator. These are users that you must trust or do not make them a
domain administrator. You could configure Restricted Groups on the domain
controller container to enforce membership of various domain groups but an
admistrator could disable such or modify it if they choose. You can also
enable auditing of account management in Domain Controller Security Policy
so that you can see who is modifying group membership and then take
appropriate action. Most domain activity can be delegated to users other
than domain administrators for things such as creating/managing
computers/users/groups and Group Policy. Bottom line with administrators is
to hire competent and honest people and trust but audit. --- Steve
"Lee" <lee@nowehere.com> wrote in message
news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> I would like to stop domain admins from being able to modify the
> membership of the domain admins group.
>
> I have modified the following security on thr domain admins group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
> I have modified the following security on builtin\administrators group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
>
> This appears to work fine.
>
> However, after an hour or so, all the permissions that I have removed
> seem to reappear, I am pretty sure no other domain admin is adding them
> back.
>
> Any ideas ?
>
> Thanks
>
> Lee
>
>
>
>
>
- Next message: Richrut: "listing of all permissions on a server"
- Previous message: Lee: "Restricting Domain Admins"
- In reply to: Lee: "Restricting Domain Admins"
- Next in thread: Joe Richards [MVP]: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
