Re: Restricting Domain Admins
From: Lee (lee_at_nowehere.com)
Date: 06/02/05
- Next message: tjg_at_meitech.com: "Administrator Approved Controls on Windows 2003 Server"
- Previous message: David Beder [MSFT]: "Re: Port Range in Exceptions"
- In reply to: Roger Abell: "Re: Restricting Domain Admins"
- Next in thread: Roger Abell: "Re: Restricting Domain Admins"
- Reply: Roger Abell: "Re: Restricting Domain Admins"
- Reply: Roger Abell: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Jun 2005 12:54:04 +0100
All,
Thanks very much for your replies.
Roger, I have been trying your suggestions in my test environment, here is
what I have done.
Change the security on the adminSDHolder container so that domain admins and
builtin\administrators do not have the following rights
Write
Modify Permissions
Modify Owner
This appears to work (I've also modified the Default domain controllers
policy so that only Enterprise admins can take ownership of objects.)
My question now is, the settings I have changed stop domain admins from
modifying the domain admins group membership, what other groups will these
settings restrict domain admins from modifying.
Thanks
Lee
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%234bTvpzZFHA.3132@TK2MSFTNGP09.phx.gbl...
> Just after posting I noticed that what you were attempting to modify does
> not prevent then from changing the membership of those groups, which
> was your stated objective. Those do prevent them from being able to
> alter the DACL so that they could grant the ability to alter the groups'
> memberships back to themselves, which is no doubt why you were
> trying to change these, but you would need to change the other grants
> for writing, etc. and change the owner.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Lee" <lee@nowehere.com> wrote in message
> news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> I would like to stop domain admins from being able to modify the
> membership
>> of the domain admins group.
>>
>> I have modified the following security on thr domain admins group
>>
>> Removed Write permission
>> Removed Modify permission
>> Removed modify owner permission
>>
>> I have modified the following security on builtin\administrators group
>>
>> Removed Write permission
>> Removed Modify permission
>> Removed modify owner permission
>>
>>
>> This appears to work fine.
>>
>> However, after an hour or so, all the permissions that I have removed
> seem
>> to reappear, I am pretty sure no other domain admin is adding them back.
>>
>> Any ideas ?
>>
>> Thanks
>>
>> Lee
>>
>>
>>
>>
>>
>
>
- Next message: tjg_at_meitech.com: "Administrator Approved Controls on Windows 2003 Server"
- Previous message: David Beder [MSFT]: "Re: Port Range in Exceptions"
- In reply to: Roger Abell: "Re: Restricting Domain Admins"
- Next in thread: Roger Abell: "Re: Restricting Domain Admins"
- Reply: Roger Abell: "Re: Restricting Domain Admins"
- Reply: Roger Abell: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
