RE: Restrict the Domain Admin

["Brian Loe" <knobdy () stjoelive com>]

I'm not sure that this can be done, but I would take a different approach if
I truly didn't trust any of my domain admins (playing with fire, and your
environment will NEVER be trustworthy with these types of people around).
That approach would be to not have any domain admins but different groups
that have been granted the various permissions they need to do what they
need to do. How much you can give the non-built-in admin group you create, I
don't know.

I would like to be of more help, but as I say, you're starting off from an
insecure position to begin with. 

> -----Original Message-----
> From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] 
> Sent: Friday, September 16, 2005 5:12 AM
> To: security-basics () securityfocus com
> Subject: Restrict the Domain Admin
>
> Hi List,
> Is there a way to restrict access of a Domain Admin?
>
> Example, can we allow a Dommain admin to do everything EXCEPT 
> user management (e.g. password reset)? 
>
> We want to secure our environment, and do not want to have 
> "ALL-POWERFULL" domain admins around
>
> Thanks for your suggestions
>
> P.S. Environment: Windows (2000 & 2003) - Active Directory