Security Basics mailing list archives
Re: Restrict the Domain Admin
From: Christos Triantafyllidis <ctria () physics auth gr>
Date: Sun, 18 Sep 2005 00:13:53 +0300
sf_mail_sbm () yahoo com wrote:
Hi List, Is there a way to restrict access of a Domain Admin?
Nope.
Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?
This won't be a "Domain admin"
We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around Thanks for your suggestions P.S. Environment: Windows (2000 & 2003) - Active Directory
The best you can use is limit your domain admin account to the people that should be domain admins. Add a new custom group for each privilege that Active Directory allows you to have, and make users members of the groups they should be.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
(Thread continues...)