Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Brian Loe" <knobdy () stjoelive com>
Date: Fri, 16 Sep 2005 14:42:44 -0500
I'm not sure that this can be done, but I would take a different approach if I truly didn't trust any of my domain admins (playing with fire, and your environment will NEVER be trustworthy with these types of people around). That approach would be to not have any domain admins but different groups that have been granted the various permissions they need to do what they need to do. How much you can give the non-built-in admin group you create, I don't know. I would like to be of more help, but as I say, you're starting off from an insecure position to begin with.
-----Original Message----- From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] Sent: Friday, September 16, 2005 5:12 AM To: security-basics () securityfocus com Subject: Restrict the Domain Admin Hi List, Is there a way to restrict access of a Domain Admin? Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)? We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around Thanks for your suggestions P.S. Environment: Windows (2000 & 2003) - Active Directory
Current thread:
- Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
(Thread continues...)