Re: Restricting Domain Admins

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/02/05

• Next message: Roger Abell: "Re: listing of all permissions on a server"
• Previous message: Roger Abell: "Re: Restricting Domain Admins"
• In reply to: Lee: "Restricting Domain Admins"
• Next in thread: Lee: "Re: Restricting Domain Admins"
• Reply: Lee: "Re: Restricting Domain Admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 1 Jun 2005 23:15:15 -0700

Just after posting I noticed that what you were attempting to modify does
not prevent then from changing the membership of those groups, which
was your stated objective. Those do prevent them from being able to
alter the DACL so that they could grant the ability to alter the groups'
memberships back to themselves, which is no doubt why you were
trying to change these, but you would need to change the other grants
for writing, etc. and change the owner.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Lee" <lee@nowehere.com> wrote in message
news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> I would like to stop domain admins from being able to modify the
membership
> of the domain admins group.
>
> I have modified the following security on thr domain admins group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
> I have modified the following security on builtin\administrators group
>
> Removed Write permission
> Removed Modify permission
> Removed modify owner permission
>
>
> This appears to work fine.
>
> However, after an hour or so,  all the permissions that I have removed
seem
> to reappear, I am pretty sure no other domain admin is adding them back.
>
> Any ideas ?
>
> Thanks
>
> Lee
>
>
>
>
>

---

• Next message: Roger Abell: "Re: listing of all permissions on a server"
• Previous message: Roger Abell: "Re: Restricting Domain Admins"
• In reply to: Lee: "Restricting Domain Admins"
• Next in thread: Lee: "Re: Restricting Domain Admins"
• Reply: Lee: "Re: Restricting Domain Admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Restricting Domain Admins ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ... (microsoft.public.windows.server.security) Re: Restricting Domain Admins ... Modify Permissions ... the settings I have changed stop domain admins from ... >> Removed Modify permission ... >> Removed modify owner permission ... (microsoft.public.windows.server.security) Re: Restricting Domain Admins ... > protect the domain admins group to the level that I require. ... >>> Modify Permissions ... >>> modifying the domain admins group membership, ... >>>>> Removed Modify permission ... (microsoft.public.windows.server.security) Re: Restricting Domain Admins ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ... (microsoft.public.windows.server.security) Restricting Domain Admins ... I would like to stop domain admins from being able to modify the membership ... Removed Modify permission ... Removed modify owner permission ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)