Security Basics mailing list archives

RE: Restrict the Domain Admin

From: "Brunner, Mark" <MBrunner () tor fasken com>
Date: Fri, 16 Sep 2005 16:42:41 -0400

Yes, you would delegate permissions using GPO's in Active Directory instead of making them Domain Admins.
This way you can be as granular as you want when assigning admin chores, using least privelidge.

-----Original Message-----
From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com]
Sent: Friday, September 16, 2005 6:12 AM
To: security-basics () securityfocus com
Subject: Restrict the Domain Admin

Hi List,
Is there a way to restrict access of a Domain Admin?

Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)? 

We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around

Thanks for your suggestions

P.S. Environment: Windows (2000 & 2003) - Active Directory

Current thread:

Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
  - Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
  - RE: Restrict the Domain Admin Charles Otstot (Sep 26)
  - RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)