Re: Restricting Domain Admins
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 06/03/05
- Next message: Achim Domma (Procoders): "Restrict access to ATL COM service"
- Previous message: Roger Abell [MVP]: "Re: Admin Privs without being in the administrator group"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Jun 2005 22:35:34 -0700
Fair enough, if good enough. But remember it would likely be
quick/simple for them to change membership with a restricted
group definition, and then change it back, until you take priority
control over that, since the modification of the group will be done
for them by the system enforcing policy.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Lee" <lee@nowehere.com> wrote in message news:uAZKsj4ZFHA.1044@TK2MSFTNGP10.phx.gbl... > Roger, > > Thanks very much for your information and explanation. I will be looking > at GPO's next. However, I will most certianly be leaving a few > "well-hidden" backdoors open in case the worst comes to the worst. For > now, I think the solution that you presented to me is good enough to > protect the domain admins group to the level that I require. > > Regards, > > Lee > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:OIqLzc4ZFHA.3808@TK2MSFTNGP14.phx.gbl... >> Lee, >> >> As I have not gone far down the road you are traveling, aside from >> the already mentioned needed change of ownership of the groups >> you are aiming to manage in this way the other thing you will need >> to test and likely prevent is the defining of Domain Admins as a >> restricted group in a GPO with higher priority on the Domain Controllers >> OU than the controlling GPO with restricted group def that you control. >> >> -- >> Roger Abell >> Microsoft MVP (Windows Security) >> MCSE (W2k3,W2k,Nt4) MCDBA >> "Lee" <lee@nowehere.com> wrote in message >> news:OU8AHn2ZFHA.3040@TK2MSFTNGP14.phx.gbl... >>> All, >>> >>> Thanks very much for your replies. >>> >>> Roger, I have been trying your suggestions in my test environment, here >>> is >>> what I have done. >>> >>> Change the security on the adminSDHolder container so that domain admins >> and >>> builtin\administrators do not have the following rights >>> >>> Write >>> Modify Permissions >>> Modify Owner >>> >>> >>> This appears to work (I've also modified the Default domain controllers >>> policy so that only Enterprise admins can take ownership of objects.) >>> >>> My question now is, the settings I have changed stop domain admins from >>> modifying the domain admins group membership, what other groups will >> these >>> settings restrict domain admins from modifying. >>> >>> Thanks >>> >>> Lee >>> >>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message >>> news:%234bTvpzZFHA.3132@TK2MSFTNGP09.phx.gbl... >>> > Just after posting I noticed that what you were attempting to modify >> does >>> > not prevent then from changing the membership of those groups, which >>> > was your stated objective. Those do prevent them from being able to >>> > alter the DACL so that they could grant the ability to alter the >>> > groups' >>> > memberships back to themselves, which is no doubt why you were >>> > trying to change these, but you would need to change the other grants >>> > for writing, etc. and change the owner. >>> > >>> > -- >>> > Roger Abell >>> > Microsoft MVP (Windows Security) >>> > MCSE (W2k3,W2k,Nt4) MCDBA >>> > "Lee" <lee@nowehere.com> wrote in message >>> > news:uz$jJesZFHA.3784@TK2MSFTNGP12.phx.gbl... >>> >> Hi, >>> >> >>> >> I would like to stop domain admins from being able to modify the >>> > membership >>> >> of the domain admins group. >>> >> >>> >> I have modified the following security on thr domain admins group >>> >> >>> >> Removed Write permission >>> >> Removed Modify permission >>> >> Removed modify owner permission >>> >> >>> >> I have modified the following security on builtin\administrators >>> >> group >>> >> >>> >> Removed Write permission >>> >> Removed Modify permission >>> >> Removed modify owner permission >>> >> >>> >> >>> >> This appears to work fine. >>> >> >>> >> However, after an hour or so, all the permissions that I have >>> >> removed >>> > seem >>> >> to reappear, I am pretty sure no other domain admin is adding them >> back. >>> >> >>> >> Any ideas ? >>> >> >>> >> Thanks >>> >> >>> >> Lee >>> >> >>> >> >>> >> >>> >> >>> >> >>> > >>> > >>> >>> >> >> > >
- Next message: Achim Domma (Procoders): "Restrict access to ATL COM service"
- Previous message: Roger Abell [MVP]: "Re: Admin Privs without being in the administrator group"
- In reply to: Lee: "Re: Restricting Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
