Security Basics mailing list archives

Re: Restrict the Domain Admin

From: Raoul Armfield <armfield () amnh org>
Date: Fri, 16 Sep 2005 16:46:28 -0400

sf_mail_sbm () yahoo com wrote:

Hi List,
Is there a way to restrict access of a Domain Admin?

Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?

We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around

Thanks for your suggestions

P.S. Environment: Windows (2000 & 2003) - Active Directory

Your best bet would be to do what we did in our environment. We gaverights as needed. We only have 4 Domain Level Admin accounts and thoseare only to be used when absolutely needed. Everyone uses an accountthat only has as much privileges as their job requires.


By doing this you can give them any rights that they might need.

Remember you WILL come across a situation where you want an"ALL-POWERFULL" domain admin account.


--
Raoul Armfield
Support Specialist
IT-Call Center
armfield at amnh dot org
American Museum of Natural History
Central Park West at 79th Street
New York, New York 10024-5192
(212) 313-7258

5152 1277 A04B 04C2 BBE4
3EE8 8369 3541 8B93 42DA

Current thread:

Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
  - Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
  - RE: Restrict the Domain Admin Charles Otstot (Sep 26)
  - RE: Restrict the Domain Admin Brian Loe (Sep 26)

(Thread continues...)