Re: Restricting Domain Admins
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/02/05
- Next message: Roger Abell: "Re: Authenicated Users Query"
- Previous message: Roger Abell: "Re: Restricting Domain Admins"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Next in thread: Lee: "Re: Restricting Domain Admins"
- Reply: Lee: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Jun 2005 08:24:47 -0700
Lee,
As I have not gone far down the road you are traveling, aside from
the already mentioned needed change of ownership of the groups
you are aiming to manage in this way the other thing you will need
to test and likely prevent is the defining of Domain Admins as a
restricted group in a GPO with higher priority on the Domain Controllers
OU than the controlling GPO with restricted group def that you control.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Lee" <lee@nowehere.com> wrote in message news:OU8AHn2ZFHA.3040@TK2MSFTNGP14.phx.gbl... > All, > > Thanks very much for your replies. > > Roger, I have been trying your suggestions in my test environment, here is > what I have done. > > Change the security on the adminSDHolder container so that domain admins and > builtin\administrators do not have the following rights > > Write > Modify Permissions > Modify Owner > > > This appears to work (I've also modified the Default domain controllers > policy so that only Enterprise admins can take ownership of objects.) > > My question now is, the settings I have changed stop domain admins from > modifying the domain admins group membership, what other groups will these > settings restrict domain admins from modifying. > > Thanks > > Lee > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%234bTvpzZFHA.3132@TK2MSFTNGP09.phx.gbl... > > Just after posting I noticed that what you were attempting to modify does > > not prevent then from changing the membership of those groups, which > > was your stated objective. Those do prevent them from being able to > > alter the DACL so that they could grant the ability to alter the groups' > > memberships back to themselves, which is no doubt why you were > > trying to change these, but you would need to change the other grants > > for writing, etc. and change the owner. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Lee" <lee@nowehere.com> wrote in message > > news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl... > >> Hi, > >> > >> I would like to stop domain admins from being able to modify the > > membership > >> of the domain admins group. > >> > >> I have modified the following security on thr domain admins group > >> > >> Removed Write permission > >> Removed Modify permission > >> Removed modify owner permission > >> > >> I have modified the following security on builtin\administrators group > >> > >> Removed Write permission > >> Removed Modify permission > >> Removed modify owner permission > >> > >> > >> This appears to work fine. > >> > >> However, after an hour or so, all the permissions that I have removed > > seem > >> to reappear, I am pretty sure no other domain admin is adding them back. > >> > >> Any ideas ? > >> > >> Thanks > >> > >> Lee > >> > >> > >> > >> > >> > > > > > >
- Next message: Roger Abell: "Re: Authenicated Users Query"
- Previous message: Roger Abell: "Re: Restricting Domain Admins"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Next in thread: Lee: "Re: Restricting Domain Admins"
- Reply: Lee: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
