Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Restrict the Domain Admin

From: "Robert McIntyre" <robert.mcintyre () earthmail com>
Date: Mon, 19 Sep 2005 11:13:28 -0700
Hi List,
Is there a way to restrict access of a Domain Admin?

Example, can we allow a Dommain admin to do everything EXCEPT user

management (e.g. password reset)? 


We want to secure our environment, and do not want to have "ALL-POWERFULL"

domain admins around


Thanks for your suggestions

P.S. Environment: Windows (2000 & 2003) - Active Directory


I would not recommend messing with the Domain Admin rights.  You might end
up shooting yourself in the foot.

Instead you could consider creating new domain groups with just the rights
that you want them to have and restrict the Domain Admin group to just a
small number of user accounts or maybe even just one for emergencies.

There are three ways to control the power and rights of your own group:

1. Control the groups that your new group is a member of.
2. Manually change the user rights that you assign to the group
3. Use Active Directory to delegate control of objects in an OU to your new
group.
Previous By Date Next
Previous By Thread Next

Current thread: