Re: Restricting Domain Admins

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/02/05 

Date: Wed, 1 Jun 2005 23:05:55 -0700

With all that has been said so far accepted, I will add that I do also
understand how placing hurdles or minor bumps in the way can serve
to remind people that they are trying to go with they should not go.
With that said, you will need to alter the security set on the AD object
in that domain found in the System container named AdminSDHolder.

Be careful. This affects the SD on a number of guarded principals,
and in general altering this is not advised. Consider the results if this
is
done in the forestroot domain to effect the changes you are attempting,
and remember that this is also the DACL on the AdminSDHolder object
itself, so the results from the changes could be that no principal can later
set the values differently again. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Lee" <lee@nowehere.com> wrote in message
news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> I would like to stop domain admins from being able to modify the
membership
> of the domain admins group.
>
> I have modified the following security on thr domain admins group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
> I have modified the following security on builtin\administrators group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
>
> This appears to work fine.
>
> However, after an hour or so,  all the permissions that I have removed
seem
> to reappear, I am pretty sure no other domain admin is adding them back.
>
> Any ideas ?
>
> Thanks
>
> Lee
>
>
>
>
>

Relevant Pages

  • Re: Restricting Domain Admins
    ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Restricting Domain Admins
    ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Restricting Domain Admins
    ... Modify Permissions ... the settings I have changed stop domain admins from ... >> Removed Modify permission ... >> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Restricting Domain Admins
    ... I would like to stop domain admins from being able to modify the membership ... Removed Modify permission ... Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... > that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... the list of permission entries in the DACL. ... I understand that domain admins have the delete and delete subtree rights at the domain level. ...
    (microsoft.public.win2000.active_directory)