Security Basics mailing list archives

Re: Restrict the Domain Admin

From: Christos Triantafyllidis <ctria () physics auth gr>
Date: Sun, 18 Sep 2005 00:13:53 +0300

sf_mail_sbm () yahoo com wrote:

Hi List,
Is there a way to restrict access of a Domain Admin?

Nope.

Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?

This won't be a "Domain admin"


We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around

Thanks for your suggestions

P.S. Environment: Windows (2000 & 2003) - Active Directory

The best you can use is limit your domain admin account to the peoplethat should be domain admins. Add a new custom group for each privilegethat Active Directory allows you to have, and make users members of thegroups they should be.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
  - Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)

(Thread continues...)