Re: Restricting Domain Admins

From: Lee (lee_at_nowehere.com)
Date: 06/02/05 

Date: Thu, 2 Jun 2005 16:36:59 +0100

Roger,

Thanks very much for your information and explanation. I will be looking
at GPO's next. However, I will most certianly be leaving a few
"well-hidden" backdoors open in case the worst comes to the worst. For now,
I think the solution that you presented to me is good enough to protect the
domain admins group to the level that I require.

Regards,

Lee

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OIqLzc4ZFHA.3808@TK2MSFTNGP14.phx.gbl...
> Lee,
>
> As I have not gone far down the road you are traveling, aside from
> the already mentioned needed change of ownership of the groups
> you are aiming to manage in this way the other thing you will need
> to test and likely prevent is the defining of Domain Admins as a
> restricted group in a GPO with higher priority on the Domain Controllers
> OU than the controlling GPO with restricted group def that you control.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Lee" <lee@nowehere.com> wrote in message
> news:OU8AHn2ZFHA.3040@TK2MSFTNGP14.phx.gbl...
>> All,
>>
>> Thanks very much for your replies.
>>
>> Roger, I have been trying your suggestions in my test environment, here
>> is
>> what I have done.
>>
>> Change the security on the adminSDHolder container so that domain admins
> and
>> builtin\administrators do not have the following rights
>>
>> Write
>> Modify Permissions
>> Modify Owner
>>
>>
>> This appears to work (I've also modified the Default domain controllers
>> policy so that only Enterprise admins can take ownership of objects.)
>>
>> My question now is, the settings I have changed stop domain admins from
>> modifying the domain admins group membership, what other groups will
> these
>> settings restrict domain admins from modifying.
>>
>> Thanks
>>
>> Lee
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:%234bTvpzZFHA.3132@TK2MSFTNGP09.phx.gbl...
>> > Just after posting I noticed that what you were attempting to modify
> does
>> > not prevent then from changing the membership of those groups, which
>> > was your stated objective. Those do prevent them from being able to
>> > alter the DACL so that they could grant the ability to alter the
>> > groups'
>> > memberships back to themselves, which is no doubt why you were
>> > trying to change these, but you would need to change the other grants
>> > for writing, etc. and change the owner.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Lee" <lee@nowehere.com> wrote in message
>> > news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl...
>> >> Hi,
>> >>
>> >> I would like to stop domain admins from being able to modify the
>> > membership
>> >> of the domain admins group.
>> >>
>> >> I have modified the following security on thr domain admins group
>> >>
>> >> Removed Write permission
>> >> Removed Modify permission
>> >> Removed modify owner permission
>> >>
>> >> I have modified the following security on builtin\administrators group
>> >>
>> >> Removed Write permission
>> >> Removed Modify permission
>> >> Removed modify owner permission
>> >>
>> >>
>> >> This appears to work fine.
>> >>
>> >> However, after an hour or so, all the permissions that I have removed
>> > seem
>> >> to reappear, I am pretty sure no other domain admin is adding them
> back.
>> >>
>> >> Any ideas ?
>> >>
>> >> Thanks
>> >>
>> >> Lee
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Restricting Domain Admins
    ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Restricting Domain Admins
    ... > protect the domain admins group to the level that I require. ... >>> Modify Permissions ... >>> modifying the domain admins group membership, ... >>>>> Removed Modify permission ...
    (microsoft.public.windows.server.security)
  • Re: Restricting Domain Admins
    ... > Change the security on the adminSDHolder container so that domain admins ... > Modify Permissions ... >>> Removed Modify permission ... >>> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Restricting Domain Admins
    ... Modify Permissions ... the settings I have changed stop domain admins from ... >> Removed Modify permission ... >> Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Delegate certain rights to a single Domain Controller
    ... the moment you allow someone to modify a single DC they have the opportunity to modify the entire Forest regardless of what you *think* you have delegated. ... The only people who should have rights to modify things on DCs are domain admins and the same domain admins should be the domain admins of every domain in the forest and also the enterprise admins. ...
    (microsoft.public.windows.server.active_directory)
Loading