Re: Restricting Domain Admins
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/02/05
- Next message: Roger Abell: "Re: Restricting Domain Admins"
- Previous message: tjg_at_meitech.com: "Re: Administrator Approved Controls on Windows 2003 Server"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Next in thread: Roger Abell: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Jun 2005 08:00:49 -0700
I believe that there is a KB article that was eventually published which
lists the principals that automatically get their ACLs refreshed from the
AdminSDHolder. I do not have that specific KB number to hand, but
there appears there could be some important for you info hiding in these
http://support.microsoft.com/search/default.aspx?qu=AdminSDHolder
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Lee" <lee@nowehere.com> wrote in message news:OU8AHn2ZFHA.3040@TK2MSFTNGP14.phx.gbl... > All, > > Thanks very much for your replies. > > Roger, I have been trying your suggestions in my test environment, here is > what I have done. > > Change the security on the adminSDHolder container so that domain admins and > builtin\administrators do not have the following rights > > Write > Modify Permissions > Modify Owner > > > This appears to work (I've also modified the Default domain controllers > policy so that only Enterprise admins can take ownership of objects.) > > My question now is, the settings I have changed stop domain admins from > modifying the domain admins group membership, what other groups will these > settings restrict domain admins from modifying. > > Thanks > > Lee > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%234bTvpzZFHA.3132@TK2MSFTNGP09.phx.gbl... > > Just after posting I noticed that what you were attempting to modify does > > not prevent then from changing the membership of those groups, which > > was your stated objective. Those do prevent them from being able to > > alter the DACL so that they could grant the ability to alter the groups' > > memberships back to themselves, which is no doubt why you were > > trying to change these, but you would need to change the other grants > > for writing, etc. and change the owner. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Lee" <lee@nowehere.com> wrote in message > > news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl... > >> Hi, > >> > >> I would like to stop domain admins from being able to modify the > > membership > >> of the domain admins group. > >> > >> I have modified the following security on thr domain admins group > >> > >> Removed Write permission > >> Removed Modify permission > >> Removed modify owner permission > >> > >> I have modified the following security on builtin\administrators group > >> > >> Removed Write permission > >> Removed Modify permission > >> Removed modify owner permission > >> > >> > >> This appears to work fine. > >> > >> However, after an hour or so, all the permissions that I have removed > > seem > >> to reappear, I am pretty sure no other domain admin is adding them back. > >> > >> Any ideas ? > >> > >> Thanks > >> > >> Lee > >> > >> > >> > >> > >> > > > > > >
- Next message: Roger Abell: "Re: Restricting Domain Admins"
- Previous message: tjg_at_meitech.com: "Re: Administrator Approved Controls on Windows 2003 Server"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Next in thread: Roger Abell: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
